CVE-2021-23336

Exploit

EPSS 0.3%
Veröffentlicht 15.02.2021 13:15:12
Zuletzt bearbeitet 21.11.2024 05:51:31
Quelle report@snyk.io
Teams Watchlist Login
Unerledigt Login

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 40

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Python ≫ Python Version < 3.6.13

Python ≫ Python Version >= 3.7.0 < 3.7.10

Python ≫ Python Version >= 3.8.0 < 3.8.8

Python ≫ Python Version >= 3.9.0 < 3.9.2

Fedoraproject ≫ Fedora Version32

Fedoraproject ≫ Fedora Version33

Fedoraproject ≫ Fedora Version34

Debian ≫ Debian Linux Version9.0

Netapp ≫ Cloud Backup Version-

Netapp ≫ Inventory Collect Tool Version-

Netapp ≫ Ontap Select Deploy Administration Utility Version-

Netapp ≫ Snapcenter Version-

Djangoproject ≫ Django Version >= 2.2 < 2.2.19

Djangoproject ≫ Django Version >= 3.0 < 3.0.13

Djangoproject ≫ Django Version >= 3.1 < 3.1.7

Oracle ≫ Communications Offline Mediation Controller Version12.0.0.3.0

Oracle ≫ Communications Pricing Design Center Version12.0.0.3.0

Oracle ≫ Enterprise Manager Ops Center Version12.4.0.0

Oracle ≫ Zfs Storage Appliance Version8.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.3%	0.53

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	1.6	4.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
nvd@nist.gov	4	4.9	4.9	AV:N/AC:H/Au:N/C:N/I:P/A:P
report@snyk.io	5.9	1.6	4.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com//security-alerts/cpujul2021.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

Patch