Vulnerability Name:

CCN-122295

Published:2017-02-20
Updated:2017-02-20
Summary:Java and Python could allow a remote attacker to bypass security restrictions, caused by an FTP protocol injection flaw in the built-in URL fetching library (urllib2 in Python 2 and urllib in Python 3) and Java's FTP URL handling code. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to inject FTP commands into the protocol stream and identify the victim's internal IP address, determine the appropriate packet alignment and launch further attacks on the system.
CVSS v3 Severity:7.1 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N/E:U/RL:U/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Complete
Availibility (A): None
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: Blindspot Security Blog, Monday, February 20, 2017
Advisory: Java/Python FTP Injections Allow for Firewall Bypass

Source: CCN
Type: The Hacker News Web site
Unpatched Python and Java Flaws Let Hackers Bypass Firewall Using FTP Injection

Source: CCN
Type: Oracle Web site
Java

Source: XF
Type: UNKNOWN
java-python-xxe-injection(122295)

Source: CCN
Type: Python Web site
Welcome to Python.org

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:python:python:*:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:java:7:u191:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    python python *
    oracle java 7 u191