gsd-2021-28861
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
Aliases
Aliases
{ GSD: { alias: "CVE-2021-28861", description: "Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure.", id: "GSD-2021-28861", references: [ "https://www.suse.com/security/cve/CVE-2021-28861.html", "https://advisories.mageia.org/CVE-2021-28861.html", "https://access.redhat.com/errata/RHSA-2022:6766", "https://access.redhat.com/errata/RHSA-2022:8353", "https://ubuntu.com/security/CVE-2021-28861", "https://access.redhat.com/errata/RHSA-2023:0833", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2021-28861", ], details: "** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states \"Warning: http.server is not recommended for production. It only implements basic security checks.\"", id: "GSD-2021-28861", modified: "2023-12-13T01:23:29.196044Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2021-28861", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states \"Warning: http.server is not recommended for production. It only implements basic security checks.\"", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://bugs.python.org/issue43223", refsource: "MISC", url: "https://bugs.python.org/issue43223", }, { name: "https://github.com/python/cpython/pull/93879", refsource: "MISC", url: "https://github.com/python/cpython/pull/93879", }, { name: "https://github.com/python/cpython/pull/24848", refsource: "MISC", url: "https://github.com/python/cpython/pull/24848", }, { name: "FEDORA-2022-f511f8f58b", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OKYE2DOI2X7WZXAWTQJZAXYIWM37HDCY/", }, { name: "FEDORA-2022-7fff0f2b0b", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LTSPFIULY2GZJN3QYNFVM4JSU6H4D6J/", }, { name: "FEDORA-2022-a27e239f5a", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G66SRWUM36ENQ3X6LAIG7HAB27D4XJ/", }, { name: "FEDORA-2022-a2be4bd5d8", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DISZAFSIQ7IAPAEQTC7G2Z5QUA2V2PSW/", }, { name: "FEDORA-2022-15f1aa7dc7", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLE5INSVJUZJGY5OJXV6JREXWD7UDHYN/", }, { name: "FEDORA-2022-fde69532df", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HPX4XHT2FGVQYLY2STT2MRVENILNZTTU/", }, { name: "FEDORA-2022-61d8e8d880", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X46T4EFTIBXZRYTGASBDEZGYJINH2OWV/", }, { name: "FEDORA-2022-4ac2e16969", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRGKPYA5YHIXQAMRIXO5DSCX7D4UUW4Q/", }, { name: "FEDORA-2022-2173709172", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3MQT5ZE3QH5PVDJMERTBOCILHK35CBE/", }, { name: "FEDORA-2022-01d5789c08", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2TRINJE3INWDVIHIABW4L2NP3RUSK7BJ/", }, { name: "FEDORA-2022-d1682fef04", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WXF6MQ74HVIDDSR5AE2UDR24I6D4FEPC/", }, { name: "FEDORA-2022-79843dfb3c", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFGV7P2PYFBMK32OKHCAC2ZPJQV5AUDF/", }, { name: "FEDORA-2022-20116fb6aa", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZEPOPUFC42KXXSLFPZ47ZZRGPOR7SQE/", }, { name: "FEDORA-2022-7ca361a226", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5OABQ5CMPQETJLFHROAXDIDXCMDTNVYG/", }, { name: "GLSA-202305-02", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/202305-02", }, ], }, }, "nvd.nist.gov": { cve: { configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", matchCriteriaId: "9BB0C045-72AD-4916-8D81-6C2E0F37CCD3", versionEndExcluding: "3.7.14", versionStartIncluding: "3.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", matchCriteriaId: "5E28EB81-9BE6-4EC9-AC44-EFA4DDB0233F", versionEndExcluding: "3.8.14", versionStartIncluding: "3.8.0", vulnerable: true, }, { criteria: "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", matchCriteriaId: "24517651-FDBB-4867-99A6-25E12EE8A117", versionEndExcluding: "3.9.14", versionStartIncluding: "3.9.0", vulnerable: true, }, { criteria: "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", matchCriteriaId: "28C5C34B-331E-4CE4-BEAC-CAAFC9BA6A08", versionEndExcluding: "3.10.6", versionStartIncluding: "3.10.0", vulnerable: true, }, { criteria: "cpe:2.3:a:python:python:3.11.0:alpha1:*:*:*:*:*:*", matchCriteriaId: "514A577E-5E60-40BA-ABD0-A8C5EB28BD90", vulnerable: true, }, { criteria: "cpe:2.3:a:python:python:3.11.0:alpha2:*:*:*:*:*:*", matchCriteriaId: "83B71795-9C81-4E5F-967C-C11808F24B05", vulnerable: true, }, { criteria: "cpe:2.3:a:python:python:3.11.0:alpha3:*:*:*:*:*:*", matchCriteriaId: "3F6F71F3-299E-4A4B-ADD1-EAD5A1D433E2", vulnerable: true, }, { criteria: "cpe:2.3:a:python:python:3.11.0:alpha4:*:*:*:*:*:*", matchCriteriaId: "D9BBF4E9-EA54-41B5-948E-8E3D2660B7EF", vulnerable: true, }, { criteria: "cpe:2.3:a:python:python:3.11.0:alpha5:*:*:*:*:*:*", matchCriteriaId: "AEBFDCE7-81D4-4741-BB88-12C704515F5C", vulnerable: true, }, { criteria: "cpe:2.3:a:python:python:3.11.0:alpha6:*:*:*:*:*:*", matchCriteriaId: "156EB4C2-EFB7-4CEB-804D-93DB62992A63", vulnerable: true, }, { criteria: "cpe:2.3:a:python:python:3.11.0:alpha7:*:*:*:*:*:*", matchCriteriaId: "8CC972AE-16A8-4B74-A3E7-36BCDD7C1ED3", vulnerable: true, }, { criteria: "cpe:2.3:a:python:python:3.11.0:beta1:*:*:*:*:*:*", matchCriteriaId: "554015CB-0325-438B-8C11-0F85F54ABC50", vulnerable: true, }, { criteria: "cpe:2.3:a:python:python:3.11.0:beta2:*:*:*:*:*:*", matchCriteriaId: "8037C129-0030-455E-A359-98E14D1498D4", vulnerable: true, }, { criteria: "cpe:2.3:a:python:python:3.11.0:beta3:*:*:*:*:*:*", matchCriteriaId: "7C3DC43B-72CC-4FC5-8072-F051FB47F6D1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", matchCriteriaId: "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", matchCriteriaId: "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", matchCriteriaId: "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], descriptions: [ { lang: "en", value: "Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states \"Warning: http.server is not recommended for production. It only implements basic security checks.\"", }, { lang: "es", value: "** EN DISPUTA ** Python versiones 3.x hasta la versión 3.10, presenta una vulnerabilidad de redireccionamiento abierto en el archivo lib/http/server.py debido a una falta de protección contra múltiples (/) al principio de la ruta URI que puede conllevar a una divulgación de información. NOTA: esto es discutido por un tercero porque la página de documentación http.server.html dice \"Advertencia: http.server no se recomienda para producción. Sólo implementa controles de seguridad básicos\".", }, ], id: "CVE-2021-28861", lastModified: "2024-04-11T01:11:06.607", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-08-23T01:15:07.617", references: [ { source: "cve@mitre.org", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugs.python.org/issue43223", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/python/cpython/pull/24848", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/python/cpython/pull/93879", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2TRINJE3INWDVIHIABW4L2NP3RUSK7BJ/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5LTSPFIULY2GZJN3QYNFVM4JSU6H4D6J/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5OABQ5CMPQETJLFHROAXDIDXCMDTNVYG/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DISZAFSIQ7IAPAEQTC7G2Z5QUA2V2PSW/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPX4XHT2FGVQYLY2STT2MRVENILNZTTU/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3MQT5ZE3QH5PVDJMERTBOCILHK35CBE/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IFGV7P2PYFBMK32OKHCAC2ZPJQV5AUDF/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KRGKPYA5YHIXQAMRIXO5DSCX7D4UUW4Q/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OKYE2DOI2X7WZXAWTQJZAXYIWM37HDCY/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLE5INSVJUZJGY5OJXV6JREXWD7UDHYN/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7G66SRWUM36ENQ3X6LAIG7HAB27D4XJ/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZEPOPUFC42KXXSLFPZ47ZZRGPOR7SQE/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXF6MQ74HVIDDSR5AE2UDR24I6D4FEPC/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X46T4EFTIBXZRYTGASBDEZGYJINH2OWV/", }, { source: "cve@mitre.org", url: "https://security.gentoo.org/glsa/202305-02", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-601", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }, }, }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.