CVE-2021-28861
Summary
| CVE | CVE-2021-28861 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-08-23 01:15:00 UTC |
| Updated | 2023-11-07 03:32:00 UTC |
| Description | ** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks." |
Risk And Classification
Problem Types: CWE-601
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Operating System | Fedoraproject | Fedora | 36 | All | All | All |
| Operating System | Fedoraproject | Fedora | 37 | All | All | All |
| Application | Python | Python | All | All | All | All |
| Application | Python | Python | 3.11.0 | alpha1 | All | All |
| Application | Python | Python | 3.11.0 | alpha2 | All | All |
| Application | Python | Python | 3.11.0 | alpha3 | All | All |
| Application | Python | Python | 3.11.0 | alpha4 | All | All |
| Application | Python | Python | 3.11.0 | alpha5 | All | All |
| Application | Python | Python | 3.11.0 | alpha6 | All | All |
| Application | Python | Python | 3.11.0 | alpha7 | All | All |
| Application | Python | Python | 3.11.0 | beta1 | All | All |
| Application | Python | Python | 3.11.0 | beta2 | All | All |
| Application | Python | Python | 3.11.0 | beta3 | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Issue 43223: [security] http.server: Open Redirection if the URL path starts with // - Python tracker | MISC | bugs.python.org | |
| [SECURITY] Fedora 35 Update: pypy3.8-7.3.9-5.3.8.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: pypy3.7-7.3.9-4.3.7.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 35 Update: pypy3.9-7.3.9-4.3.9.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: mingw-python3-3.10.8-1.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| bpo-43223: [SECURITY] Patched Open Redirection In SimpleHTTPServer Module by hamzaavvan · Pull Request #24848 · python/cpython · GitHub | MISC | github.com | |
| [SECURITY] Fedora 37 Update: python3.6-3.6.15-12.fc37 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 35 Update: python3.9-3.9.14-1.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| gh-87389: Fix an open redirection vulnerability in http.server. by gpshead · Pull Request #93879 · python/cpython · GitHub | MISC | github.com | |
| FEDORA-2022-7fff0f2b0b | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 35 Update: pypy3.7-7.3.9-4.3.7.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: python3.6-3.6.15-11.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: mingw-python3-3.10.8-1.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: pypy3.8-7.3.9-5.3.8.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 37 Update: pypy3.9-7.3.9-4.3.9.fc37 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 37 Update: pypy3.8-7.3.9-5.3.8.fc37 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: python3.6-3.6.15-11.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 36 Update: pypy3.8-7.3.9-5.3.8.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 35 Update: pypy3.7-7.3.9-4.3.7.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Python, PyPy3: Multiple Vulnerabilities (GLSA 202305-02) — Gentoo security | GENTOO | security.gentoo.org | |
| [SECURITY] Fedora 37 Update: mingw-python3-3.10.8-1.fc37 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 35 Update: pypy3.9-7.3.9-4.3.9.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 37 Update: pypy3.9-7.3.9-4.3.9.fc37 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 35 Update: python3.6-3.6.15-5.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: pypy3.7-7.3.9-4.3.7.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 37 Update: mingw-python3-3.10.8-1.fc37 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: pypy3.9-7.3.9-4.3.9.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 37 Update: pypy3.8-7.3.9-5.3.8.fc37 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 35 Update: python3.9-3.9.14-1.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 35 Update: python3.6-3.6.15-5.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 35 Update: pypy3.8-7.3.9-5.3.8.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 36 Update: pypy3.9-7.3.9-4.3.9.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 160271 Oracle Enterprise Linux Security Update for python3.9 (ELSA-2022-8353)
- 160473 Oracle Enterprise Linux Security Update for python3 (ELSA-2023-0833)
- 160651 Oracle Enterprise Linux Security Update for python38:3.8 and python38-devel:3.8 (ELSA-2023-2763)
- 160687 Oracle Enterprise Linux Security Update for python39:3.9 and python39-devel:3.9 (ELSA-2023-2764)
- 199497 Ubuntu Security Notification for Python Vulnerabilities (USN-5888-1)
- 240700 Red Hat Update for rh-python38-python (RHSA-2022:6766)
- 240914 Red Hat Update for python3.9 security (RHSA-2022:8353)
- 241211 Red Hat Update for python3 (RHSA-2023:0833)
- 241481 Red Hat Update for python38:3.8 and python38-devel:3.8 (RHSA-2023:2763)
- 241507 Red Hat Update for python39:3.9 and python39-devel:3.9 (RHSA-2023:2764)
- 283111 Fedora Security Update for python3.8 (FEDORA-2022-29d436596f)
- 283112 Fedora Security Update for python3.7 (FEDORA-2022-8535093cba)
- 283139 Fedora Security Update for python3.9 (FEDORA-2022-f511f8f58b)
- 283159 Fedora Security Update for python3.6 (FEDORA-2022-a27e239f5a)
- 283160 Fedora Security Update for python3.6 (FEDORA-2022-a2be4bd5d8)
- 283220 Fedora Security Update for pypy3.8 (FEDORA-2022-fde69532df)
- 283221 Fedora Security Update for pypy3.8 (FEDORA-2022-15f1aa7dc7)
- 283225 Fedora Security Update for pypy3.9 (FEDORA-2022-4ac2e16969)
- 283231 Fedora Security Update for pypy3.9 (FEDORA-2022-61d8e8d880)
- 283247 Fedora Security Update for pypy3.7 (FEDORA-2022-2173709172)
- 283248 Fedora Security Update for pypy3.7 (FEDORA-2022-01d5789c08)
- 283294 Fedora Security Update for mingw (FEDORA-2022-d1682fef04)
- 283444 Fedora Security Update for mingw (FEDORA-2022-79843dfb3c)
- 283483 Fedora Security Update for pypy3.9 (FEDORA-2022-7ca361a226)
- 283484 Fedora Security Update for pypy3.8 (FEDORA-2022-20116fb6aa)
- 285297 Fedora Security Update for pypy3.10 (FEDORA-2023-ddde191e04)
- 672260 EulerOS Security Update for python3 (EulerOS-SA-2022-2661)
- 672314 EulerOS Security Update for python3 (EulerOS-SA-2022-2693)
- 672343 EulerOS Security Update for python3 (EulerOS-SA-2022-2773)
- 672368 EulerOS Security Update for python3 (EulerOS-SA-2022-2738)
- 672399 EulerOS Security Update for python3 (EulerOS-SA-2022-2805)
- 710714 Gentoo Linux Python, PyPy3 Multiple Vulnerabilities (GLSA 202305-02)
- 752642 SUSE Enterprise Linux Security Update for python36 (SUSE-SU-2022:3483-1)
- 752643 SUSE Enterprise Linux Security Update for python39 (SUSE-SU-2022:3485-1)
- 752652 SUSE Enterprise Linux Security Update for python (SUSE-SU-2022:3512-1)
- 752656 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2022:3511-1)
- 752661 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2022:3544-1)
- 752667 SUSE Enterprise Linux Security Update for python (SUSE-SU-2022:3553-1)
- 752672 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2022:3593-1)
- 752676 SUSE Enterprise Linux Security Update for python (SUSE-SU-2022:3512-2)
- 752687 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2022:3511-2)
- 902780 Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (10625)
- 902788 Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (10618)
- 903967 Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (10618-1)
- 903988 Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (10625-1)
- 940790 AlmaLinux Security Update for python3.9 (ALSA-2022:8353)
- 940928 AlmaLinux Security Update for python3 (ALSA-2023:0833)
- 941099 AlmaLinux Security Update for python39:3.9 and python39-devel:3.9 (ALSA-2023:2764)
- 941101 AlmaLinux Security Update for python38:3.8 and python38-devel:3.8 (ALSA-2023:2763)
- 960542 Rocky Linux Security Update for python3.9 (RLSA-2022:8353)
- 960653 Rocky Linux Security Update for python3 (RLSA-2023:0833)