CVE-2019-17514 — Vulnetix

CVE-2019-17514 PUBLISHED

library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.

EPSS 2.22% · 84.8th percentile

Risk Scores

EPSS Score

2.22%

84.8th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:20.04:LTS	python2.7	0, 2.7.17-1, 2.7.17-1ubuntu5
Ubuntu:16.04:LTS	python3.5	3.5.2-2ubuntu0~16.04.5, 3.5.2-2ubuntu0~16.04.4, 3.5.2-2ubuntu0~16.04.3
Ubuntu:Pro:14.04:LTS	python3.5	0, 3.5.2-2ubuntu0~16.04.4~14.04.1
Ubuntu:16.04:LTS	python2.7	2.7.10-4ubuntu2, 2.7.11-3, 2.7.11-4
Ubuntu:18.04:LTS	python3.8	0
Ubuntu:18.04:LTS	python3.6	3.6.8-1~18.04.1, 0, 3.6.4~rc1-1
Ubuntu:20.04:LTS	python3.8	0, 3.8.0-4, 3.8.2-1ubuntu1
Ubuntu:Pro:18.04:LTS	python3.7	3.7.5-2ubuntu1~18.04.2+esm2, ,
Ubuntu:Pro:14.04:LTS	python3.4	0, 3.4~b1-0ubuntu3, 3.4~b1-4ubuntu4
Ubuntu:Pro:14.04:LTS	python2.7	2.7.6-8ubuntu0.6+esm2, 2.7.5-8ubuntu3, 2.7.5-8ubuntu4
Ubuntu:18.04:LTS	python2.7	2.7.14-4, 0, *
Ubuntu:Pro:22.04:LTS	python2.7	2.7.18-13ubuntu1.5+esm2, 2.7.18-13ubuntu1.5+esm5, 2.7.18-13ubuntu1.5+esm6

Exploit Intelligence

…and 4 more exploits

Timeline

Oct 12, 2019 CVE Published
Apr 14, 2021 EPSS Score
Jun 23, 2021 EPSS Score
Oct 26, 2021 EPSS Score
Dec 27, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Feb 28, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Jul 3, 2022 EPSS Score
Sep 4, 2022 EPSS Score
Nov 6, 2022 EPSS Score
Mar 7, 2023 EPSS Score

References

https://ubuntu.com/security/CVE-2019-17514 third-party-advisory
https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L380 third-party-advisory
https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L405 third-party-advisory
https://pubs.acs.org/doi/full/10.1021/acs.orglett.9b03216 third-party-advisory
https://pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si_002.zip third-party-advisory
https://twitter.com/chris_bloke/status/1181997278136958976 third-party-advisory
https://twitter.com/LucasCMoore/status/1181615421922824192 third-party-advisory
https://web.archive.org/web/20150822013622/https://docs.python.org/3/library/glob.html third-party-advisory
https://web.archive.org/web/20150906020027/https://docs.python.org/2.7/library/glob.html third-party-advisory
https://web.archive.org/web/20160309211341/https://docs.python.org/3/library/glob.html third-party-advisory
https://web.archive.org/web/20160526201356/https://docs.python.org/2.7/library/glob.html third-party-advisory
https://www.vice.com/en_us/article/zmjwda/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies third-party-advisory
https://ubuntu.com/security/notices/USN-4428-1 vendor-advisory
https://ubuntu.com/security/notices/USN-4754-3 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2019-17514 third-party-advisory
https://ubuntu.com/security/notices/USN-6891-1 vendor-advisory

Open in Interactive Console →