Vulnerability CVE-2020-27619

Vulnerability Name:

CVE-2020-27619 (CCN-190408)

Assigned:

2020-10-05

Published:

2020-10-05

Updated:

2023-01-31

Summary:

In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-95

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2020-27619

Source: CCN
Type: Python Issue41944
[security] Python testsuite calls eval() on content received via HTTP

Source: cve@mitre.org
Type: Issue Tracking, Patch, Vendor Advisory
cve@mitre.org

Source: XF
Type: UNKNOWN
python-cve202027619-unspecified(190408)

Source: cve@mitre.org
Type: Patch, Vendor Advisory
cve@mitre.org

Source: CCN
Type: cpython GIT Repository
bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests (GH-22566) (GH-22578)

Source: cve@mitre.org
Type: Patch, Vendor Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Patch, Vendor Advisory
cve@mitre.org

Source: CCN
Type: cpython GIT Repository
bpo-41944: No longer call eval() on content received via HTTP in the UnicodeNames tests (GH-22575)

Source: cve@mitre.org
Type: Patch, Vendor Advisory
cve@mitre.org

Source: CCN
Type: cpython GIT Repository
bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests (GH-22566) (GH-22579)

Source: cve@mitre.org
Type: Patch, Vendor Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Issue Tracking, Mailing List, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Issue Tracking, Mailing List, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: CCN
Type: IBM Security Bulletin 6464381 (Streams Cloud Private)
Streams service for IBM Cloud Pak for Data might be affected by some underlying Python vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6476940 (Cloud Pak for Security)
Cloud Pak for Security has several security vulnerabilities addressed in the latest version

Source: CCN
Type: IBM Security Bulletin 6491661 (Cognos Analytics)
IBM Cognos Analytics with Watson 11.2.1 has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6493729 (Cloud Pak for Security)
Cloud Pak for Security is vulnerable to several CVEs

Source: CCN
Type: IBM Security Bulletin 6520474 (QRadar SIEM)
IBM QRadar SIEM Application Framework Base Image is vulnerable to using components with Known Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6830257 (Robotic Process Automation)
Multiple security vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-27619

Vulnerable Configuration:

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

Configuration RedHat 5:

cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*

Configuration CCN 1:

cpe:/a:python:python:3.0:-:*:*:*:*:*:*

OR cpe:/a:python:python:3.1:-:*:*:*:*:*:*

OR cpe:/a:python:python:3.2:-:*:*:*:*:*:*

OR cpe:/a:python:python:3.3:*:*:*:*:*:*:*

OR cpe:/a:python:python:3.4:*:*:*:*:*:*:*

OR cpe:/a:python:python:3.5.0:-:*:*:*:*:*:*

OR cpe:/a:python:python:3.7:*:*:*:*:*:*:*

OR cpe:/a:python:python:3.6.0:-:*:*:*:*:*:*

AND

cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.6.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.7.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.7.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation:21.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation:21.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation:21.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation:21.0.4:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8061	P	python3-tools-3.6.15-150300.10.45.1 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:7654	P	libpython3_6m1_0-3.6.15-150300.10.45.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:3426	P	ant-1.9.4-3.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3193	P	libjavascriptcoregtk-4_0-18-2.24.4-2.47.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3364	P	shadow-4.2.1-34.20 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3065	P	expat-2.1.0-21.9.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94874	P	docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.31.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95171	P	jakarta-taglibs-standard-1.1.1-2.42 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94695	P	libpython3_6m1_0-3.6.15-150300.10.21.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95056	P	python3-tools-3.6.15-150300.10.21.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:188	P	libpython3_6m1_0-3.6.13-3.78.1 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:101587	P	Security update for openjpeg2 (Important)	2022-04-19
oval:org.opensuse.security:def:94476	P	(Important)	2022-02-18
oval:org.opensuse.security:def:5342	P	Security update for apache2 (Important)	2022-02-16
oval:org.opensuse.security:def:113244	P	python36-3.6.15-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:101884	P	Security update for postgresql12 (Important)	2021-11-22
oval:com.redhat.rhsa:def:20214162	P	RHSA-2021:4162: python38:3.8 and python38-devel:3.8 security update (Moderate)	2021-11-09
oval:com.redhat.rhsa:def:20214151	P	RHSA-2021:4151: python27:2.7 security update (Moderate)	2021-11-09
oval:org.opensuse.security:def:106657	P	python36-3.6.15-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:96777	P	strongswan-5.6.0-2.43 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:4465	P	Security update for the Linux Kernel (Live Patch 21 for SLE 12 SP5) (Important)	2021-08-17
oval:org.opensuse.security:def:62206	P	libpython3_6m1_0-3.6.13-3.78.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:100964	P	libpython3_6m1_0-3.6.13-3.78.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:63041	P	python3-tools-3.6.13-3.78.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101189	P	libexif-devel-0.6.22-5.6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:1117	P	libpython3_6m1_0-3.6.13-3.78.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:71947	P	libpython3_6m1_0-3.6.13-3.78.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:1952	P	python3-tools-3.6.13-3.78.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72760	P	python3-tools-3.6.13-3.78.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:4410	P	Security update for the Linux Kernel (Live Patch 16 for SLE 12 SP5) (Important)	2021-05-25
oval:com.redhat.rhsa:def:20211633	P	RHSA-2021:1633: python3 security update (Moderate)	2021-05-18
oval:org.opensuse.security:def:31172	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:55898	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:85636	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:20970	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:126702	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:32917	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:57914	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:87381	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:29362	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:51559	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:83402	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:34432	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:59729	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:89384	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:31619	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:56018	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:86083	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:23571	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:127099	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:33648	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:88115	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:30075	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:51887	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:84139	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:32091	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:56995	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:86555	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:23899	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:82569	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:33906	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:58740	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:88427	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:30195	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:55185	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:84596	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:125532	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:60255	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:57442	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:26050	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:49441	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:83282	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:5037	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:59471	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:89126	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:110387	P	Security update for python3 (Important)	2020-12-29
oval:org.opensuse.security:def:110929	P	Security update for python3 (Important)	2020-12-28
oval:org.opensuse.security:def:74622	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:9281	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:66712	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:98103	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:107855	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:73404	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:90693	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:117370	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:65499	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:75499	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:104086	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:10035	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:69421	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:108253	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:73575	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:91138	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:117767	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:5623	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:65554	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:97396	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:75780	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:104348	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:70175	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:64282	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:108550	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:74567	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:8538	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:66431	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:97658	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:104793	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:90431	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:64453	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:60160	P	Security update for python36 (Important)	2020-12-17
oval:org.opensuse.security:def:34337	P	Security update for python36 (Important)	2020-12-17
oval:org.opensuse.security:def:58651	P	Security update for python36 (Important)	2020-12-11
oval:org.opensuse.security:def:32828	P	Security update for python36 (Important)	2020-12-11
oval:org.opensuse.security:def:87292	P	Security update for python36 (Important)	2020-12-11

BACK