5.9

CVE-2021-23336

Exploit

EPSS 0.3%
Published 15.02.2021 13:15:12
Last modified 21.11.2024 05:51:31
Source report@snyk.io
Teams watchlist Login
Open Login

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

Affected products Warnungen 0 Metrics 4 CWE 1 References 40

Data is provided by the National Vulnerability Database (NVD)

Python ≫ Python Version < 3.6.13

Python ≫ Python Version >= 3.7.0 < 3.7.10

Python ≫ Python Version >= 3.8.0 < 3.8.8

Python ≫ Python Version >= 3.9.0 < 3.9.2

Fedoraproject ≫ Fedora Version32

Fedoraproject ≫ Fedora Version33

Fedoraproject ≫ Fedora Version34

Debian ≫ Debian Linux Version9.0

Netapp ≫ Cloud Backup Version-

Netapp ≫ Inventory Collect Tool Version-

Netapp ≫ Ontap Select Deploy Administration Utility Version-

Netapp ≫ Snapcenter Version-

Djangoproject ≫ Django Version >= 2.2 < 2.2.19

Djangoproject ≫ Django Version >= 3.0 < 3.0.13

Djangoproject ≫ Django Version >= 3.1 < 3.1.7

Oracle ≫ Communications Offline Mediation Controller Version12.0.0.3.0

Oracle ≫ Communications Pricing Design Center Version12.0.0.3.0

Oracle ≫ Enterprise Manager Ops Center Version12.4.0.0

Oracle ≫ Zfs Storage Appliance Version8.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.3%	0.53

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.9	1.6	4.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
nvd@nist.gov	4	4.9	4.9	AV:N/AC:H/Au:N/C:N/I:P/A:P
report@snyk.io	5.9	1.6	4.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com//security-alerts/cpujul2021.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

Patch

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html

Third Party Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2021/05/01/2

Third Party Advisory

Mailing List

https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E

https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/

https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/

Third Party Advisory

Technical Description

https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/

http://www.openwall.com/lists/oss-security/2021/02/19/4

Patch

Third Party Advisory

Mailing List

https://github.com/python/cpython/pull/24297

Patch

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html

Third Party Advisory

Mailing List

https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/

https://security.gentoo.org/glsa/202104-04

Third Party Advisory

https://security.netapp.com/advisory/ntap-20210326-0004/

Third Party Advisory

https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2021-23336

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-23336

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-23336

EUVD