7.4

CVE-2021-28861

EPSS 0.8%
Veröffentlicht 23.08.2022 01:15:07
Zuletzt bearbeitet 21.11.2024 06:00:20
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 21

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Python ≫ Python Version >= 3.0.0 < 3.7.14

Python ≫ Python Version >= 3.8.0 < 3.8.14

Python ≫ Python Version >= 3.9.0 < 3.9.14

Python ≫ Python Version >= 3.10.0 < 3.10.6

Python ≫ Python Version3.11.0 Updatealpha1

Python ≫ Python Version3.11.0 Updatealpha2

Python ≫ Python Version3.11.0 Updatealpha3

Python ≫ Python Version3.11.0 Updatealpha4

Python ≫ Python Version3.11.0 Updatealpha5

Python ≫ Python Version3.11.0 Updatealpha6

Python ≫ Python Version3.11.0 Updatealpha7

Python ≫ Python Version3.11.0 Updatebeta1

Python ≫ Python Version3.11.0 Updatebeta2

Python ≫ Python Version3.11.0 Updatebeta3

Fedoraproject ≫ Fedora Version35

Fedoraproject ≫ Fedora Version36

Fedoraproject ≫ Fedora Version37

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.8%	0.734

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.4	2.8	4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

https://security.gentoo.org/glsa/202305-02

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IFGV7P2PYFBMK32OKHCAC2ZPJQV5AUDF/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXF6MQ74HVIDDSR5AE2UDR24I6D4FEPC/

https://bugs.python.org/issue43223

Vendor Advisory

Issue Tracking

https://github.com/python/cpython/pull/24848

Patch

Third Party Advisory

https://github.com/python/cpython/pull/93879

Patch

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2TRINJE3INWDVIHIABW4L2NP3RUSK7BJ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5LTSPFIULY2GZJN3QYNFVM4JSU6H4D6J/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5OABQ5CMPQETJLFHROAXDIDXCMDTNVYG/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DISZAFSIQ7IAPAEQTC7G2Z5QUA2V2PSW/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPX4XHT2FGVQYLY2STT2MRVENILNZTTU/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3MQT5ZE3QH5PVDJMERTBOCILHK35CBE/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KRGKPYA5YHIXQAMRIXO5DSCX7D4UUW4Q/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OKYE2DOI2X7WZXAWTQJZAXYIWM37HDCY/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLE5INSVJUZJGY5OJXV6JREXWD7UDHYN/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7G66SRWUM36ENQ3X6LAIG7HAB27D4XJ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZEPOPUFC42KXXSLFPZ47ZZRGPOR7SQE/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X46T4EFTIBXZRYTGASBDEZGYJINH2OWV/

https://nvd.nist.gov/vuln/detail/CVE-2021-28861

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-28861

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-28861

EUVD