CVE-2019-17514
Vulnerability from cvelistv5
Published
2019-10-12 12:07
Modified
2024-08-05 01:40
Severity ?
EPSS score ?
Summary
library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T01:40:15.920Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://web.archive.org/web/20150906020027/https://docs.python.org/2.7/library/glob.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://web.archive.org/web/20160526201356/https://docs.python.org/2.7/library/glob.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://web.archive.org/web/20150822013622/https://docs.python.org/3/library/glob.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://web.archive.org/web/20160309211341/https://docs.python.org/3/library/glob.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L380" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L405" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugs.python.org/issue33275" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://twitter.com/LucasCMoore/status/1181615421922824192" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si_002.zip" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://pubs.acs.org/doi/full/10.1021/acs.orglett.9b03216" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.vice.com/en_us/article/zmjwda/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://twitter.com/chris_bloke/status/1181997278136958976" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20191107-0005/" }, { "name": "USN-4428-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4428-1/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated \"finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,\" one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-07-27T17:06:30", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://web.archive.org/web/20150906020027/https://docs.python.org/2.7/library/glob.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://web.archive.org/web/20160526201356/https://docs.python.org/2.7/library/glob.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://web.archive.org/web/20150822013622/https://docs.python.org/3/library/glob.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://web.archive.org/web/20160309211341/https://docs.python.org/3/library/glob.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L380" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L405" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugs.python.org/issue33275" }, { "tags": [ "x_refsource_MISC" ], "url": "https://twitter.com/LucasCMoore/status/1181615421922824192" }, { "tags": [ "x_refsource_MISC" ], "url": "https://pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si_002.zip" }, { "tags": [ "x_refsource_MISC" ], "url": "https://pubs.acs.org/doi/full/10.1021/acs.orglett.9b03216" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.vice.com/en_us/article/zmjwda/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies" }, { "tags": [ "x_refsource_MISC" ], "url": "https://twitter.com/chris_bloke/status/1181997278136958976" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20191107-0005/" }, { "name": "USN-4428-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4428-1/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-17514", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated \"finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,\" one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://web.archive.org/web/20150906020027/https://docs.python.org/2.7/library/glob.html", "refsource": "MISC", "url": "https://web.archive.org/web/20150906020027/https://docs.python.org/2.7/library/glob.html" }, { "name": "https://web.archive.org/web/20160526201356/https://docs.python.org/2.7/library/glob.html", "refsource": "MISC", "url": "https://web.archive.org/web/20160526201356/https://docs.python.org/2.7/library/glob.html" }, { "name": "https://web.archive.org/web/20150822013622/https://docs.python.org/3/library/glob.html", "refsource": "MISC", "url": "https://web.archive.org/web/20150822013622/https://docs.python.org/3/library/glob.html" }, { "name": "https://web.archive.org/web/20160309211341/https://docs.python.org/3/library/glob.html", "refsource": "MISC", "url": "https://web.archive.org/web/20160309211341/https://docs.python.org/3/library/glob.html" }, { "name": "https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L380", "refsource": "MISC", "url": "https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L380" }, { "name": "https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L405", "refsource": "MISC", "url": "https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L405" }, { "name": "https://bugs.python.org/issue33275", "refsource": "MISC", "url": "https://bugs.python.org/issue33275" }, { "name": "https://twitter.com/LucasCMoore/status/1181615421922824192", "refsource": "MISC", "url": "https://twitter.com/LucasCMoore/status/1181615421922824192" }, { "name": "https://pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si_002.zip", "refsource": "MISC", "url": "https://pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si_002.zip" }, { "name": "https://pubs.acs.org/doi/full/10.1021/acs.orglett.9b03216", "refsource": "MISC", "url": "https://pubs.acs.org/doi/full/10.1021/acs.orglett.9b03216" }, { "name": "https://www.vice.com/en_us/article/zmjwda/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies", "refsource": "MISC", "url": "https://www.vice.com/en_us/article/zmjwda/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies" }, { "name": "https://twitter.com/chris_bloke/status/1181997278136958976", "refsource": "MISC", "url": "https://twitter.com/chris_bloke/status/1181997278136958976" }, { "name": "https://security.netapp.com/advisory/ntap-20191107-0005/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20191107-0005/" }, { "name": "USN-4428-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4428-1/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-17514", "datePublished": "2019-10-12T12:07:23", "dateReserved": "2019-10-12T00:00:00", "dateUpdated": "2024-08-05T01:40:15.920Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2019-17514\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-10-12T13:15:10.790\",\"lastModified\":\"2020-07-27T18:15:12.277\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated \\\"finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,\\\" one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.\"},{\"lang\":\"es\",\"value\":\"La biblioteca library/glob.html en la documentaci\u00f3n de Python versiones 2 y 3 antes del 2016, presenta informaci\u00f3n potencialmente enga\u00f1osa sobre si ocurre la clasificaci\u00f3n, como es demostrado por los resultados irreproducibles de la investigaci\u00f3n del c\u00e1ncer. NOTA: los efectos de esta documentaci\u00f3n cruzan dominios de aplicaci\u00f3n y, por lo tanto, es probable que el c\u00f3digo relevante para la seguridad en otros lugares este afectado. Este problema no es un error de implementaci\u00f3n de Python, y no existen reportes de que los investigadores de RMN confiaran espec\u00edficamente en la biblioteca library/glob.html. En otras palabras, debido a que la documentaci\u00f3n m\u00e1s antigua declara \\\"finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,\\\" uno podr\u00eda haber inferido incorrectamente que la clasificaci\u00f3n que ocurre en un shell de Unix tambi\u00e9n se present\u00f3 para glob.glob. Existe una soluci\u00f3n alternativa en las versiones m\u00e1s nuevas de Willoughby nmr-data_compilation-p2.py y nmr-data_compilation-p3.py, que llaman a la funci\u00f3n sort() directamente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-682\"},{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:python:3.6.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"D1ED4F49-515C-4848-9517-0793361EE8D7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:python:3.7.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"5BFDF292-ACD2-4225-95B3-51343D2C5E85\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:python:3.8.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"707791F5-F864-4DE1-8E54-58A00E17B85F\"}]}]}],\"references\":[{\"url\":\"https://bugs.python.org/issue33275\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L380\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L405\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://pubs.acs.org/doi/full/10.1021/acs.orglett.9b03216\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si_002.zip\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20191107-0005/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://twitter.com/LucasCMoore/status/1181615421922824192\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://twitter.com/chris_bloke/status/1181997278136958976\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4428-1/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://web.archive.org/web/20150822013622/https://docs.python.org/3/library/glob.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://web.archive.org/web/20150906020027/https://docs.python.org/2.7/library/glob.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://web.archive.org/web/20160309211341/https://docs.python.org/3/library/glob.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://web.archive.org/web/20160526201356/https://docs.python.org/2.7/library/glob.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.vice.com/en_us/article/zmjwda/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies\",\"source\":\"cve@mitre.org\",\"tags\":[\"Press/Media Coverage\",\"Third Party Advisory\"]}]}}" } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.