CVEs-PoC/2019/CVE-2019-10160.md

### [CVE-2019-10160](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160)
![](https://img.shields.io/static/v1?label=Product&message=python&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20affects%202.7%2C%203.5%2C%203.6%2C%203.7%2C%20%3E%3D%20v3.8.0a4%20and%20%3C%20v3.8.0b1%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-172&color=brighgreen)

### Description

A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.

### POC

#### Reference
- https://usn.ubuntu.com/4127-2/

#### Github
No PoCs found on GitHub currently.