CVE-2021-28861
python: open redirection vulnerability in lib/http/server.py may lead to information disclosure
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
** EN DISPUTA ** Python versiones 3.x hasta la versión 3.10, presenta una vulnerabilidad de redireccionamiento abierto en el archivo lib/http/server.py debido a una falta de protección contra múltiples (/) al principio de la ruta URI que puede conllevar a una divulgación de información. NOTA: esto es discutido por un tercero porque la página de documentación http.server.html dice "Advertencia: http.server no se recomienda para producción. Sólo implementa controles de seguridad básicos".
A vulnerability was found in python. This security flaw causes an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of the URI path. This issue may lead to information disclosure.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-03-19 CVE Reserved
- 2022-08-23 CVE Published
- 2024-03-15 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CAPEC
References (20)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/python/cpython/pull/24848 | 2024-05-17 | |
https://github.com/python/cpython/pull/93879 | 2024-05-17 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.0.0 < 3.7.14 Search vendor "Python" for product "Python" and version " >= 3.0.0 < 3.7.14" | - |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.8.0 < 3.8.14 Search vendor "Python" for product "Python" and version " >= 3.8.0 < 3.8.14" | - |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.9.0 < 3.9.14 Search vendor "Python" for product "Python" and version " >= 3.9.0 < 3.9.14" | - |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.10.0 < 3.10.6 Search vendor "Python" for product "Python" and version " >= 3.10.0 < 3.10.6" | - |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | alpha1 |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | alpha2 |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | alpha3 |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | alpha4 |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | alpha5 |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | alpha6 |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | alpha7 |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | beta1 |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | beta2 |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | beta3 |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
|