CVE-2021-28861
python: open redirection vulnerability in lib/http/server.py may lead to information disclosure
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
** EN DISPUTA ** Python versiones 3.x hasta la versión 3.10, presenta una vulnerabilidad de redireccionamiento abierto en el archivo lib/http/server.py debido a una falta de protección contra múltiples (/) al principio de la ruta URI que puede conllevar a una divulgación de información. NOTA: esto es discutido por un tercero porque la página de documentación http.server.html dice "Advertencia: http.server no se recomienda para producción. Sólo implementa controles de seguridad básicos".
A vulnerability was found in python. This security flaw causes an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of the URI path. This issue may lead to information disclosure.
Multicluster Engine for Kubernetes 2.1.6 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-03-19 CVE Reserved
- 2022-08-23 CVE Published
- 2024-08-03 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CAPEC
References (20)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/python/cpython/pull/24848 | 2024-05-17 | |
| https://github.com/python/cpython/pull/93879 | 2024-05-17 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.0.0 < 3.7.14 Search vendor "Python" for product "Python" and version " >= 3.0.0 < 3.7.14" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.8.0 < 3.8.14 Search vendor "Python" for product "Python" and version " >= 3.8.0 < 3.8.14" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.9.0 < 3.9.14 Search vendor "Python" for product "Python" and version " >= 3.9.0 < 3.9.14" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.10.0 < 3.10.6 Search vendor "Python" for product "Python" and version " >= 3.10.0 < 3.10.6" | - |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | alpha1 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | alpha2 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | alpha3 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | alpha4 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | alpha5 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | alpha6 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | alpha7 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | beta1 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | beta2 |
Affected
| ||||||
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | 3.11.0 Search vendor "Python" for product "Python" and version "3.11.0" | beta3 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||