CVE-2021-23336

Web Cache Poisoning

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

El paquete python/cpython desde versiones 0 y anteriores a 3.6.13, desde versiones 3.7.0 y anteriores a 3.7.10, desde versiones 3.8.0 y anteriores a 3.8.8, desde versiones 3.9.0 y anteriores a 3.9.2, son vulnerables al envenenamiento de caché web por medio de urllib.parse.parse_qsl y urllib.parse.parse_qs usando un vector llamado encubrimiento de parámetros. Cuando el atacante puede separar los parámetros de la consulta usando un punto y coma (;), pueden causar una diferencia en la interpretación de la petición entre el proxy (que se ejecuta con la configuración predeterminada) y el servidor. Esto puede resultar en que las peticiones maliciosas se almacenen en caché como completamente seguras, ya que el proxy normalmente no vería el punto y coma como un separador y, por lo tanto, no lo incluiría en una clave de caché de un parámetro sin clave

The package python/cpython is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

*Credits: Snyk Security Team

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-01-08 CVE Reserved
2021-02-15 CVE Published
2023-11-08 EPSS Updated
2024-09-16 CVE Updated
2024-09-16 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CAPEC

References (39)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2021/05/01/2	Mailing List
https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E	Mailing List
https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html	Mailing List
https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html	Mailing List
https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html	Mailing List
https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html	Mailing List
https://security.netapp.com/advisory/ntap-20210326-0004	Third Party Advisory
https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages	Technical Description

URL	Date	SRC
https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933	2024-09-16

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2021/02/19/4	2023-11-07
https://github.com/python/cpython/pull/24297	2023-11-07
https://www.oracle.com//security-alerts/cpujul2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpuApr2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpujan2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpuoct2021.html	2023-11-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4	2023-11-07
https://security.gentoo.org/glsa/202104-04	2023-11-07
https://access.redhat.com/security/cve/CVE-2021-23336	2021-11-09
https://bugzilla.redhat.com/show_bug.cgi?id=1928904	2021-11-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				< 3.6.13 Search vendor "Python" for product "Python" and version " < 3.6.13"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				>= 3.7.0 < 3.7.10 Search vendor "Python" for product "Python" and version " >= 3.7.0 < 3.7.10"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				>= 3.8.0 < 3.8.8 Search vendor "Python" for product "Python" and version " >= 3.8.0 < 3.8.8"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				>= 3.9.0 < 3.9.2 Search vendor "Python" for product "Python" and version " >= 3.9.0 < 3.9.2"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				32 Search vendor "Fedoraproject" for product "Fedora" and version "32"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Netapp Search vendor "Netapp"		Cloud Backup Search vendor "Netapp" for product "Cloud Backup"				-		-		Affected
Netapp Search vendor "Netapp"		Inventory Collect Tool Search vendor "Netapp" for product "Inventory Collect Tool"				-		-		Affected
Netapp Search vendor "Netapp"		Ontap Select Deploy Administration Utility Search vendor "Netapp" for product "Ontap Select Deploy Administration Utility"				-		-		Affected
Netapp Search vendor "Netapp"		Snapcenter Search vendor "Netapp" for product "Snapcenter"				-		-		Affected
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				>= 2.2 < 2.2.19 Search vendor "Djangoproject" for product "Django" and version " >= 2.2 < 2.2.19"		-		Affected
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				>= 3.0 < 3.0.13 Search vendor "Djangoproject" for product "Django" and version " >= 3.0 < 3.0.13"		-		Affected
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				>= 3.1 < 3.1.7 Search vendor "Djangoproject" for product "Django" and version " >= 3.1 < 3.1.7"		-		Affected
Oracle Search vendor "Oracle"		Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller"				12.0.0.3.0 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version "12.0.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Pricing Design Center Search vendor "Oracle" for product "Communications Pricing Design Center"				12.0.0.3.0 Search vendor "Oracle" for product "Communications Pricing Design Center" and version "12.0.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager Ops Center Search vendor "Oracle" for product "Enterprise Manager Ops Center"				12.4.0.0 Search vendor "Oracle" for product "Enterprise Manager Ops Center" and version "12.4.0.0"		-		Affected
Oracle Search vendor "Oracle"		Zfs Storage Appliance Search vendor "Oracle" for product "Zfs Storage Appliance"				8.8 Search vendor "Oracle" for product "Zfs Storage Appliance" and version "8.8"		-		Affected