NVD脆弱性詳細

CVE-2019-16056

概要	An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
公表日	2019年9月7日3:15
登録日	2021年1月26日11:39
最終更新日	2024年11月21日13:29

CVSS3.1 : HIGH
スコア	7.5
ベクター	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	なし
可用性への影響(A)	なし

CVSS2.0 : MEDIUM
スコア	5.0
ベクター	AV:N/AC:L/Au:N/C:P/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	なし
可用性への影響(A)	なし
全ての特権を取得	いいえ
ユーザー権限を取得	いいえ
その他の権限を取得	いいえ
ユーザー操作が必要	いいえ

影響を受けるソフトウェアの構成

構成1	以上	以下	より上	未満
cpe:2.3:a:python:python::::::::		2.7.16
cpe:2.3:a:python:python::::::::	3.5.0	3.5.7
cpe:2.3:a:python:python::::::::	3.6.0	3.6.9
cpe:2.3:a:python:python::::::::	3.7.0	3.7.4
cpe:2.3:a:python:python::::::::	3.0.0	3.0.1
cpe:2.3:a:python:python::::::::	3.1.0	3.1.5
cpe:2.3:a:python:python::::::::	3.2.0	3.2.6
cpe:2.3:a:python:python::::::::	3.3.0	3.3.7
cpe:2.3:a:python:python::::::::	3.4.0	3.4.10

構成2	以上	以下	より上	未満
cpe:2.3:o:fedoraproject:fedora:29:::::::*
cpe:2.3:o:fedoraproject:fedora:30:::::::*
cpe:2.3:o:fedoraproject:fedora:31:::::::*

構成3	以上	以下	より上	未満
cpe:2.3:o:debian:debian_linux:8.0:::::::*
cpe:2.3:o:debian:debian_linux:9.0:::::::*

構成4	以上	以下	より上	未満
cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:19.04:::::::*
cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::
cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::
cpe:2.3:o:canonical:ubuntu_linux:12.04::::-:::

構成5		以上	以下	より上	未満
cpe:2.3:a:redhat:software_collections:1.0:::::::*

構成6	以上	以下	より上	未満
cpe:2.3:o:oracle:solaris:11:::::::*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:::::::*
cpe:2.3:a:oracle:communications_operations_monitor:3.4:::::::*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:::::::*
cpe:2.3:a:oracle:communications_operations_monitor::::::::	4.1	4.3
cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:::::::*

構成7	以上	以下	より上	未満
cpe:2.3:o:opensuse:leap:15.0:::::::*
cpe:2.3:o:opensuse:leap:15.1:::::::*

関連情報、対策とツール

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html	Third Party Advisory
2	http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html	Third Party Advisory
3	http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html	Third Party Advisory
4	http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html	Third Party Advisory
5	http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00012.html	Third Party Advisory
6	http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00012.html	Third Party Advisory
7	http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00021.html	Third Party Advisory
8	http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00021.html	Third Party Advisory
9	http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html	Third Party Advisory
10	http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html	Third Party Advisory
11	https://access.redhat.com/errata/RHSA-2019:3725	Third Party Advisory
12	https://access.redhat.com/errata/RHSA-2019:3725	Third Party Advisory
13	https://access.redhat.com/errata/RHSA-2019:3948	Third Party Advisory
14	https://access.redhat.com/errata/RHSA-2019:3948	Third Party Advisory
15	https://bugs.python.org/issue34155	Issue Tracking Vendor Advisory
16	https://bugs.python.org/issue34155	Issue Tracking Vendor Advisory
17	https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9	Patch
18	https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9	Patch
19	https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
20	https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
21	https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html	Mailing List Third Party Advisory
22	https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html	Mailing List Third Party Advisory
23	https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html	Mailing List Third Party Advisory
24	https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html	Mailing List Third Party Advisory
25	https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html	Mailing List Third Party Advisory
26	https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html	Mailing List Third Party Advisory
27	https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html	Mailing List Third Party Advisory
28	https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html	Mailing List Third Party Advisory
29	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/
30	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/
31	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEARDOTXCYPYELKBD2KWZ27GSPXDI3GQ/
32	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEARDOTXCYPYELKBD2KWZ27GSPXDI3GQ/
33	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/COATURTCY7G67AYI6UDV5B2JZTBCKIDX/
34	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/COATURTCY7G67AYI6UDV5B2JZTBCKIDX/
35	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/
36	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/
37	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/
38	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/
39	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/
40	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/
41	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/
42	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/
43	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K7HNVIFMETMFWWWUNTB72KYJYXCZOS5V/
44	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K7HNVIFMETMFWWWUNTB72KYJYXCZOS5V/
45	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/
46	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/
47	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/
48	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/
49	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OYGESQSGIHDCIGOBVF7VXCMIE6YDWRYB/
50	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OYGESQSGIHDCIGOBVF7VXCMIE6YDWRYB/
51	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QASRD4E2G65GGEHYKVHYCXB2XWAGTNL4/
52	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QASRD4E2G65GGEHYKVHYCXB2XWAGTNL4/
53	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QP46PQSUKYPGWTADQ67NOV3BUN6JM34Z/
54	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QP46PQSUKYPGWTADQ67NOV3BUN6JM34Z/
55	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SDQQ56P7ZZR64XV5DUVWNSNXKKEXUG2J/
56	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SDQQ56P7ZZR64XV5DUVWNSNXKKEXUG2J/
57	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBTGPBUABGXZ7WH7677OEM3NSP6ZEA76/
58	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBTGPBUABGXZ7WH7677OEM3NSP6ZEA76/
59	https://security.netapp.com/advisory/ntap-20190926-0005/	Third Party Advisory
60	https://security.netapp.com/advisory/ntap-20190926-0005/	Third Party Advisory
61	https://usn.ubuntu.com/4151-1/	Third Party Advisory
62	https://usn.ubuntu.com/4151-1/	Third Party Advisory
63	https://usn.ubuntu.com/4151-2/	Third Party Advisory
64	https://usn.ubuntu.com/4151-2/	Third Party Advisory
65	https://www.oracle.com/security-alerts/cpuapr2020.html	Patch Third Party Advisory
66	https://www.oracle.com/security-alerts/cpuapr2020.html	Patch Third Party Advisory
67	https://www.oracle.com/security-alerts/cpujul2020.html	Patch Third Party Advisory
68	https://www.oracle.com/security-alerts/cpujul2020.html	Patch Third Party Advisory

共通脆弱性一覧

JVN脆弱性情報

Python における入力確認に関する脆弱性

タイトル	Python における入力確認に関する脆弱性
概要	Python には、入力確認に関する脆弱性が存在します。本脆弱性は、CVE-2019-11340 と同様の脆弱性です。
想定される影響	情報を取得される可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2019年7月18日0:00
登録日	2019年9月11日17:27
最終更新日	2019年9月11日17:27

影響を受けるシステム

Python Software Foundation

Python 2.7.16 まで

Python 3.5.7 までの 3.x

Python 3.6.9 までの 3.6.x

Python 3.7.4 までの 3.7.x

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2019-16056	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056
National Vulnerability Database (NVD)
2	CVE-2019-16056	https://nvd.nist.gov/vuln/detail/CVE-2019-16056

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	名前	URL
GitHub
1	bpo-34155: Dont parse domains containing @ (GH-13079)	https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9
Python bug tracker
2	Issue34155	https://bugs.python.org/issue34155

変更履歴

No	変更内容	変更日
1	[2019年09月11日] 掲載	2019年9月11日17:27