CVE-2019-17514

Advisory lineage Upstream: 0 Downstream: 5
Modified
Published: 12 Oct 2019, 12:07
Last modified:05 Aug 2024, 01:40

Vulnerability Summary

Overall Risk (default)
medium
40/100
CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
2.22% LOW
2% probability +0.51%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

12 Oct 2019, 12:07
Published
Vulnerability first disclosed
05 Aug 2024, 01:40
Last Modified
Vulnerability information updated

Description

library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.

CVSS Metrics

  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • v2.0MEDIUMScore: 5AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 2.22% Percentile: 85%

Techniques & Countermeasures

  • CWE-682Incorrect Calculation

    The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

Affected Systems

  • pythonpython

    3.6.0 | 3.7.0 | 3.8.0

References (14)