CVE-2021-3737
Summary
| CVE | CVE-2021-3737 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-03-04 19:15:00 UTC |
| Updated | 2023-11-07 03:38:00 UTC |
| Description | A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability. |
Risk And Classification
Problem Types: CWE-400 | CWE-835
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 18.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 20.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 21.04 | All | All | All |
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Application | Netapp | Hci | - | All | All | All |
| Application | Netapp | Management Services For Element Software | - | All | All | All |
| Application | Netapp | Netapp Xcp Smb | - | All | All | All |
| Application | Netapp | Ontap Select Deploy Administration Utility | - | All | All | All |
| Application | Netapp | Xcp Nfs | - | All | All | All |
| Application | Oracle | Communications Cloud Native Core Binding Support Function | 22.1.3 | All | All | All |
| Application | Oracle | Communications Cloud Native Core Network Exposure Function | 22.1.1 | All | All | All |
| Application | Oracle | Communications Cloud Native Core Policy | 22.2.0 | All | All | All |
| Application | Python | Python | All | All | All | All |
| Application | Redhat | Codeready Linux Builder | 8.0 | All | All | All |
| Application | Redhat | Codeready Linux Builder For Ibm Z Systems | 8.0 | All | All | All |
| Operating System | Redhat | Codeready Linux Builder For Ibm Z Systems | 8.0 | All | All | All |
| Application | Redhat | Codeready Linux Builder For Power Little Endian | 8.0 | All | All | All |
| Operating System | Redhat | Codeready Linux Builder For Power Little Endian | 8.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 8.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux For Ibm Z Systems | 8.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux For Power Little Endian | 8.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| CVE-2021-3737 Python Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| bpo-44022: Improve the security fix regression test. by gpshead · Pull Request #26503 · python/cpython · GitHub | MISC | github.com | |
| 1995162 – (CVE-2021-3737) CVE-2021-3737 python: urllib: HTTP client possible infinite loop on a 100 Continue response | MISC | bugzilla.redhat.com | |
| [SECURITY] [DLA 3477-1] python3.7 security update | MLIST | lists.debian.org | |
| [SECURITY] [DLA 3432-1] python2.7 security update | MLIST | lists.debian.org | |
| CVE-2021-3737 | Ubuntu | MISC | ubuntu.com | |
| bpo-44022: Fix http client infinite line reading (DoS) after a http 100 by gen-xu · Pull Request #25916 · python/cpython · GitHub | MISC | github.com | |
| CVE-2021-3737: urllib HTTP client possible infinite loop on a 100 Continue response — Python Security 0.0 documentation | MISC | python-security.readthedocs.io | |
| Issue 44022: CVE-2021-3737: urllib http client possible infinite loop on a 100 Continue response - Python tracker | MISC | bugs.python.org | |
| Oracle Critical Patch Update Advisory - July 2022 | N/A | www.oracle.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159466 Oracle Enterprise Linux Security Update for python39:3.9 and python39-devel:3.9 (ELSA-2021-4160)
- 159797 Oracle Enterprise Linux Security Update for python38:3.8 and python38-devel:3.8 (ELSA-2022-1764)
- 159808 Oracle Enterprise Linux Security Update for python3 (ELSA-2022-1986)
- 159819 Oracle Enterprise Linux Security Update for python27:2.7 (ELSA-2022-1821)
- 178882 Debian Security Update for python3.5 (DLA 2808-1)
- 181802 Debian Security Update for python2.7 (DLA 3432-1)
- 198609 Ubuntu Security Notification for Python Vulnerabilities (USN-5199-1)
- 198610 Ubuntu Security Notification for Python Vulnerabilities (USN-5201-1)
- 198611 Ubuntu Security Notification for Python Vulnerabilities (USN-5200-1)
- 20270 Oracle Database 21c Critical Patch Update - October 2022
- 20317 Oracle Database 21c Critical Patch Update - January 2023
- 239841 Red Hat Update for python39:3.9 and python39-devel:3.9 (RHSA-2021:4160)
- 240254 Red Hat Update for python27-python and python27-python-pip (RHSA-2022:1663)
- 240287 Red Hat Update for python38:3.8 and python38-devel:3.8 (RHSA-2022:1764)
- 240302 Red Hat Update for python27:2.7 (RHSA-2022:1821)
- 240313 Red Hat Update for python3 (RHSA-2022:1986)
- 281936 Fedora Security Update for python2.7 (FEDORA-2021-34760089da)
- 281937 Fedora Security Update for python2.7 (FEDORA-2021-68d0f3043a)
- 281947 Fedora Security Update for mingw (FEDORA-2021-eef0654c0b)
- 296062 Oracle Solaris 11.4 Support Repository Update (SRU) 43.113.3 Missing (CPUJAN2022)
- 353942 Amazon Linux Security Advisory for python : ALAS2-2022-1802
- 353955 Amazon Linux Security Advisory for python27 : ALAS-2022-1593
- 6000019 Debian Security Update for python3.7 (DLA 3477-1)
- 671034 EulerOS Security Update for python (EulerOS-SA-2021-2669)
- 671148 EulerOS Security Update for python2 (EulerOS-SA-2021-2812)
- 671155 EulerOS Security Update for python3 (EulerOS-SA-2021-2813)
- 671213 EulerOS Security Update for python3 (EulerOS-SA-2022-1013)
- 671224 EulerOS Security Update for python3 (EulerOS-SA-2022-1033)
- 671253 EulerOS Security Update for python (EulerOS-SA-2022-1183)
- 671296 EulerOS Security Update for python3 (EulerOS-SA-2022-1214)
- 671306 EulerOS Security Update for python3 (EulerOS-SA-2022-1233)
- 751252 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2021:3477-1)
- 751261 SUSE Enterprise Linux Security Update for python36 (SUSE-SU-2021:3486-1)
- 751268 OpenSUSE Security Update for python (openSUSE-SU-2021:3489-1)
- 751274 SUSE Enterprise Linux Security Update for python (SUSE-SU-2021:3524-1)
- 751306 OpenSUSE Security Update for python (openSUSE-SU-2021:1418-1)
- 751494 OpenSUSE Security Update for python3 (openSUSE-SU-2021:4104-1)
- 751548 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2021:4015-2)
- 752098 SUSE Enterprise Linux Security Update for python39 (SUSE-SU-2022:1485-1)
- 900745 Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (8956)
- 940499 AlmaLinux Security Update for python27:2.7 (ALSA-2022:1821)
- 940530 AlmaLinux Security Update for python3 (ALSA-2022:1986)
- 940557 AlmaLinux Security Update for python38:3.8 and python38-devel:3.8 (ALSA-2022:1764)
- 940559 AlmaLinux Security Update for python39:3.9 and python39-devel:3.9 (ALSA-2021:4160)
- 960239 Rocky Linux Security Update for python39:3.9 and python39-devel:3.9 (RLSA-2021:4160)
- 960252 Rocky Linux Security Update for python38:3.8 and python38-devel:3.8 (RLSA-2022:1764)
- 960259 Rocky Linux Security Update for python27:2.7 (RLSA-2022:1821)
- 960408 Rocky Linux Security Update for python3 (RLSA-2022:1986)