{"api_version":"1","generated_at":"2026-04-22T15:43:10+00:00","cve":"CVE-2021-23336","urls":{"html":"https://cve.report/CVE-2021-23336","api":"https://cve.report/api/cve/CVE-2021-23336.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-23336","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-23336"},"summary":{"title":"CVE-2021-23336","description":"The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.","state":"PUBLIC","assigner":"report@snyk.io","published_at":"2021-02-15 13:15:00","updated_at":"2023-11-07 03:30:00"},"problem_types":["CWE-444"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/","name":"FEDORA-2021-98720f3785","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: python2.7-2.7.18-11.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/","name":"FEDORA-2021-e525e48886","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: mingw-python3-3.9.2-2.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html","name":"[debian-lts-announce] 20210405 [SECURITY] [DLA 2619-1] python3.5 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2619-1] python3.5 security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E","name":"[announce] 20210501 Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/","name":"FEDORA-2021-2897f5366c","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 32 Update: python3.10-3.10.0~a6-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/","name":"FEDORA-2021-309bc2e727","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 32 Update: mingw-python3-3.8.8-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/","name":"FEDORA-2021-309bc2e727","refsource":"","tags":[],"title":"[SECURITY] Fedora 32 Update: mingw-python3-3.8.8-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/","name":"FEDORA-2021-98720f3785","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: python2.7-2.7.18-11.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/","name":"FEDORA-2021-907f3bacae","refsource":"","tags":[],"title":"[SECURITY] Fedora 32 Update: python37-3.7.10-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/","name":"FEDORA-2021-7c1bb32d13","refsource":"FEDORA","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] Fedora 32 Update: python39-3.9.2-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/","name":"FEDORA-2021-5a09621ebb","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: python3.10-3.10.0~a6-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/","name":"FEDORA-2021-907f3bacae","refsource":"FEDORA","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] Fedora 32 Update: python37-3.7.10-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E","name":"[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/","name":"FEDORA-2021-b6b6093b3a","refsource":"","tags":[],"title":"[SECURITY] Fedora 32 Update: python3-3.8.9-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/","name":"FEDORA-2021-b326fcb83f","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: python3.10-3.10.0~a6-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/","name":"FEDORA-2021-e22bb0e548","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: python-django-3.1.7-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/","name":"FEDORA-2021-ef83e8525a","refsource":"","tags":[],"title":"[SECURITY] Fedora 32 Update: python-django-3.0.13-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/","name":"FEDORA-2021-b1843407ca","refsource":"FEDORA","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] Fedora 33 Update: python3.9-3.9.2-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/","name":"FEDORA-2021-3352c1c802","refsource":"","tags":[],"title":"[SECURITY] Fedora 32 Update: python36-3.6.13-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2021/02/19/4","name":"[oss-security] 20210219 Django security releases: CVE-2021-23336: Web cache poisoning via ``django.utils.http.limited_parse_qsl()``","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Django security releases: CVE-2021-23336: Web cache poisoning via\n ``django.utils.http.limited_parse_qsl()``","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com//security-alerts/cpujul2021.html","name":"N/A","refsource":"N/A","tags":[],"title":"Oracle Critical Patch Update Advisory - July 2021","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E","name":"[announce] 20210501 Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL","refsource":"","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/","name":"FEDORA-2021-5a09621ebb","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: python3.10-3.10.0~a6-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.oracle.com/security-alerts/cpuoct2021.html","name":"https://www.oracle.com/security-alerts/cpuoct2021.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - October 2021","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/","name":"FEDORA-2021-1bb399a5af","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: python-django-3.0.13-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/","name":"FEDORA-2021-7d3a9004e2","refsource":"FEDORA","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] Fedora 33 Update: python3.8-3.8.8-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.oracle.com/security-alerts/cpujan2022.html","name":"https://www.oracle.com/security-alerts/cpujan2022.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - January 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2021/05/01/2","name":"[oss-security] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL","refsource":"MLIST","tags":[],"title":"oss-security - CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query\n Argument in URL","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/","name":"FEDORA-2021-ef83e8525a","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 32 Update: python-django-3.0.13-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html","name":"[debian-lts-announce] 20210219 [SECURITY] [DLA 2569-1] python-django security update","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] [DLA 2569-1] python-django security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/","name":"FEDORA-2021-12df7f7382","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: python2.7-2.7.18-11.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/","name":"FEDORA-2021-b76ede8f4d","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: mingw-python3-3.9.2-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/","name":"FEDORA-2021-7c1bb32d13","refsource":"","tags":[],"title":"[SECURITY] Fedora 32 Update: python39-3.9.2-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/","name":"FEDORA-2021-7547ad987f","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: python3.6-3.6.13-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html","name":"[debian-lts-announce] 20210417 [SECURITY] [DLA 2628-1] python2.7 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2628-1] python2.7 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/","name":"FEDORA-2021-3352c1c802","refsource":"FEDORA","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] Fedora 32 Update: python36-3.6.13-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E","name":"[airflow-users] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html","name":"[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3575-1] python2.7 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/","name":"FEDORA-2021-f4fd9372c7","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: python3.7-3.7.10-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/","name":"FEDORA-2021-7d3a9004e2","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: python3.8-3.8.8-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/","name":"FEDORA-2021-12df7f7382","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: python2.7-2.7.18-11.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202104-04","name":"GLSA-202104-04","refsource":"GENTOO","tags":[],"title":"Python: Multiple vulnerabilities (GLSA 202104-04) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/","name":"FEDORA-2021-e525e48886","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: mingw-python3-3.9.2-2.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/","name":"FEDORA-2021-b76ede8f4d","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: mingw-python3-3.9.2-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933","name":"https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"Web Cache Poisoning in python/cpython | Snyk","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/","name":"FEDORA-2021-2897f5366c","refsource":"","tags":[],"title":"[SECURITY] Fedora 32 Update: python3.10-3.10.0~a6-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/","name":"FEDORA-2021-b326fcb83f","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: python3.10-3.10.0~a6-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/","name":"FEDORA-2021-7547ad987f","refsource":"FEDORA","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] Fedora 33 Update: python3.6-3.6.13-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/","name":"FEDORA-2021-b6b6093b3a","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 32 Update: python3-3.8.9-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/","name":"FEDORA-2021-1bb399a5af","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: python-django-3.0.13-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/python/cpython/pull/24297","name":"https://github.com/python/cpython/pull/24297","refsource":"MISC","tags":["Third Party Advisory"],"title":"bpo-42967: only use '&' as a query string separator by AdamGold · Pull Request #24297 · python/cpython · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/","name":"FEDORA-2021-f4fd9372c7","refsource":"FEDORA","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] Fedora 33 Update: python3.7-3.7.10-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E","name":"[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar","refsource":"","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/security-alerts/cpuApr2021.html","name":"https://www.oracle.com/security-alerts/cpuApr2021.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - April 2021","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20210326-0004/","name":"https://security.netapp.com/advisory/ntap-20210326-0004/","refsource":"CONFIRM","tags":[],"title":"CVE-2021-23336 Python Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/","name":"FEDORA-2021-e22bb0e548","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: python-django-3.1.7-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E","name":"[airflow-users] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL","refsource":"","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/","name":"FEDORA-2021-b1843407ca","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: python3.9-3.9.2-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/","name":"https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/","refsource":"MISC","tags":["Technical Description","Third Party Advisory"],"title":"Cache poisoning in popular open source packages | Snyk Blog","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-23336","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23336","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Snyk Security Team","lang":""}],"nvd_cpes":[{"cve_year":"2021","cve_id":"23336","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23336","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23336","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"djangoproject","cpe5":"django","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23336","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"32","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23336","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23336","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23336","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"32","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23336","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23336","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"cloud_backup","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23336","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"inventory_collect_tool","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23336","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"ontap_select_deploy_administration_utility","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23336","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"snapcenter","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23336","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"communications_offline_mediation_controller","cpe6":"12.0.0.3.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23336","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"communications_pricing_design_center","cpe6":"12.0.0.3.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23336","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"enterprise_manager_ops_center","cpe6":"12.4.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23336","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"oracle","cpe5":"zfs_storage_appliance","cpe6":"8.8","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23336","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"python","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23336","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"python","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-23336","qid":"159200","title":"Oracle Enterprise Linux Security Update for python3 (ELSA-2021-1633)"},{"cve":"CVE-2021-23336","qid":"159463","title":"Oracle Enterprise Linux Security Update for python27:2.7 (ELSA-2021-4151)"},{"cve":"CVE-2021-23336","qid":"159467","title":"Oracle Enterprise Linux Security Update for python38:3.8 and python38-devel:3.8 (ELSA-2021-4162)"},{"cve":"CVE-2021-23336","qid":"174803","title":"SUSE Enterprise Linux Security update for python (SUSE-SU-2021:0768-1)"},{"cve":"CVE-2021-23336","qid":"174820","title":"SUSE Enterprise Linux Security update for python3 (SUSE-SU-2021:0886-1)"},{"cve":"CVE-2021-23336","qid":"174825","title":"SUSE Enterprise Linux Security update for python36 (SUSE-SU-2021:0887-1)"},{"cve":"CVE-2021-23336","qid":"174842","title":"SUSE Enterprise Linux Security update for python3 (SUSE-SU-2021:0947-1)"},{"cve":"CVE-2021-23336","qid":"174861","title":"SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2021:0947-1)"},{"cve":"CVE-2021-23336","qid":"178536","title":"Debian Security Update for python3.5 (DLA 2619-1)"},{"cve":"CVE-2021-23336","qid":"178546","title":"Debian Security Update for python2.7 (DLA 2628-1)"},{"cve":"CVE-2021-23336","qid":"180273","title":"Debian Security Update for python3.9pypy3python-django (CVE-2021-23336)"},{"cve":"CVE-2021-23336","qid":"181172","title":"Debian Security Update for python-django (DLA 3164-1)"},{"cve":"CVE-2021-23336","qid":"239323","title":"Red Hat Update for python3 (RHSA-2021:1633)"},{"cve":"CVE-2021-23336","qid":"239580","title":"Red Hat Update for rh-python38 (RHSA-2021:3254)"},{"cve":"CVE-2021-23336","qid":"239582","title":"Red Hat Update for python27 (RHSA-2021:3252)"},{"cve":"CVE-2021-23336","qid":"239826","title":"Red Hat Update for python27:2.7 (RHSA-2021:4151)"},{"cve":"CVE-2021-23336","qid":"239845","title":"Red Hat Update for python38:3.8 and python38-devel:3.8 (RHSA-2021:4162)"},{"cve":"CVE-2021-23336","qid":"281120","title":"Fedora Security Update for python2.7 (FEDORA-2021-12df7f7382)"},{"cve":"CVE-2021-23336","qid":"281121","title":"Fedora Security Update for python2.7 (FEDORA-2021-98720f3785)"},{"cve":"CVE-2021-23336","qid":"281358","title":"Fedora Security Update for python3 (FEDORA-2021-b6b6093b3a)"},{"cve":"CVE-2021-23336","qid":"281531","title":"Fedora Security Update for mingw (FEDORA-2021-309bc2e727)"},{"cve":"CVE-2021-23336","qid":"281532","title":"Fedora Security Update for mingw (FEDORA-2021-b76ede8f4d)"},{"cve":"CVE-2021-23336","qid":"281533","title":"Fedora Security Update for mingw (FEDORA-2021-e525e48886)"},{"cve":"CVE-2021-23336","qid":"281542","title":"Fedora Security Update for python (FEDORA-2021-ef83e8525a)"},{"cve":"CVE-2021-23336","qid":"281543","title":"Fedora Security Update for python (FEDORA-2021-1bb399a5af)"},{"cve":"CVE-2021-23336","qid":"281544","title":"Fedora Security Update for python (FEDORA-2021-e22bb0e548)"},{"cve":"CVE-2021-23336","qid":"281547","title":"Fedora Security Update for python3.10 (FEDORA-2021-2897f5366c)"},{"cve":"CVE-2021-23336","qid":"281548","title":"Fedora Security Update for python3.10 (FEDORA-2021-5a09621ebb)"},{"cve":"CVE-2021-23336","qid":"281549","title":"Fedora Security Update for python3.10 (FEDORA-2021-b326fcb83f)"},{"cve":"CVE-2021-23336","qid":"281604","title":"Fedora Security Update for python3.9 (FEDORA-2021-b1843407ca)"},{"cve":"CVE-2021-23336","qid":"281609","title":"Fedora Security Update for python3.6 (FEDORA-2021-7fa9dc84d4)"},{"cve":"CVE-2021-23336","qid":"352278","title":"Amazon Linux Security Update for python35: ALAS-2021-1498"},{"cve":"CVE-2021-23336","qid":"352305","title":"Amazon Linux Security Advisory for python36: ALAS-2021-1500"},{"cve":"CVE-2021-23336","qid":"352365","title":"Amazon Linux Security Advisory for python34: ALAS-2021-1504"},{"cve":"CVE-2021-23336","qid":"352371","title":"Amazon Linux Security Advisory for python3: ALAS2-2021-1640"},{"cve":"CVE-2021-23336","qid":"353942","title":"Amazon Linux Security Advisory for python : ALAS2-2022-1802"},{"cve":"CVE-2021-23336","qid":"353955","title":"Amazon Linux Security Advisory for python27 : ALAS-2022-1593"},{"cve":"CVE-2021-23336","qid":"375537","title":"Python Buffer Overflow/Web Cache Poisoning Vulnerability"},{"cve":"CVE-2021-23336","qid":"377387","title":"Alibaba Cloud Linux Security Update for python3 (ALINUX3-SA-2021:0080)"},{"cve":"CVE-2021-23336","qid":"500595","title":"Alpine Linux Security Update for python3"},{"cve":"CVE-2021-23336","qid":"501677","title":"Alpine Linux Security Update for py3-django"},{"cve":"CVE-2021-23336","qid":"504345","title":"Alpine Linux Security Update for python3"},{"cve":"CVE-2021-23336","qid":"6000148","title":"Debian Security Update for python2.7 (DLA 3575-1)"},{"cve":"CVE-2021-23336","qid":"670241","title":"EulerOS Security Update for python (EulerOS-SA-2021-1835)"},{"cve":"CVE-2021-23336","qid":"670313","title":"EulerOS Security Update for python (EulerOS-SA-2021-1911)"},{"cve":"CVE-2021-23336","qid":"670338","title":"EulerOS Security Update for python3 (EulerOS-SA-2021-1886)"},{"cve":"CVE-2021-23336","qid":"670368","title":"EulerOS Security Update for python3 (EulerOS-SA-2021-1957)"},{"cve":"CVE-2021-23336","qid":"670389","title":"EulerOS Security Update for python3 (EulerOS-SA-2021-1936)"},{"cve":"CVE-2021-23336","qid":"670668","title":"EulerOS Security Update for python (EulerOS-SA-2021-2427)"},{"cve":"CVE-2021-23336","qid":"710014","title":"Gentoo Linux Python Multiple Vulnerabilities (GLSA 202104-04)"},{"cve":"CVE-2021-23336","qid":"750307","title":"OpenSUSE Security Update for python (openSUSE-SU-2021:0435-1)"},{"cve":"CVE-2021-23336","qid":"900046","title":"CBL-Mariner Linux Security Update for python3 3.7.9"},{"cve":"CVE-2021-23336","qid":"900925","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for python2 (6827-1)"},{"cve":"CVE-2021-23336","qid":"903306","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for python2 (3910)"},{"cve":"CVE-2021-23336","qid":"903651","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (3911)"},{"cve":"CVE-2021-23336","qid":"940187","title":"AlmaLinux Security Update for python3 (ALSA-2021:1633)"},{"cve":"CVE-2021-23336","qid":"940522","title":"AlmaLinux Security Update for python27:2.7 (ALSA-2021:4151)"},{"cve":"CVE-2021-23336","qid":"940526","title":"AlmaLinux Security Update for python38:3.8 and python38-devel:3.8 (ALSA-2021:4162)"},{"cve":"CVE-2021-23336","qid":"960320","title":"Rocky Linux Security Update for python27:2.7 (RLSA-2021:4151)"},{"cve":"CVE-2021-23336","qid":"960342","title":"Rocky Linux Security Update for python38:3.8 and python38-devel:3.8 (RLSA-2021:4162)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ASSIGNER":"report@snyk.io","DATE_PUBLIC":"2021-02-15T12:12:19.012177Z","ID":"CVE-2021-23336","STATE":"PUBLIC","TITLE":"Web Cache Poisoning"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"python/cpython","version":{"version_data":[{"version_affected":">=","version_value":"0"},{"version_affected":"<","version_value":"3.6.13"},{"version_affected":">=","version_value":"3.7.0"},{"version_affected":"<","version_value":"3.7.10"},{"version_affected":">=","version_value":"3.8.0"},{"version_affected":"<","version_value":"3.8.8"},{"version_affected":">=","version_value":"3.9.0"},{"version_affected":"<","version_value":"3.9.2"}]}}]},"vendor_name":"n/a"}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Web Cache Poisoning"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933","name":"https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933"},{"refsource":"MISC","url":"https://github.com/python/cpython/pull/24297","name":"https://github.com/python/cpython/pull/24297"},{"refsource":"MISC","url":"https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/","name":"https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/"},{"refsource":"MLIST","name":"[oss-security] 20210219 Django security releases: CVE-2021-23336: Web cache poisoning via ``django.utils.http.limited_parse_qsl()``","url":"http://www.openwall.com/lists/oss-security/2021/02/19/4"},{"refsource":"MLIST","name":"[debian-lts-announce] 20210219 [SECURITY] [DLA 2569-1] python-django security update","url":"https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html"},{"refsource":"FEDORA","name":"FEDORA-2021-7547ad987f","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/"},{"refsource":"FEDORA","name":"FEDORA-2021-f4fd9372c7","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/"},{"refsource":"FEDORA","name":"FEDORA-2021-3352c1c802","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/"},{"refsource":"FEDORA","name":"FEDORA-2021-7d3a9004e2","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/"},{"refsource":"MLIST","name":"[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar","url":"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"},{"refsource":"FEDORA","name":"FEDORA-2021-907f3bacae","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/"},{"refsource":"FEDORA","name":"FEDORA-2021-7c1bb32d13","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/"},{"refsource":"FEDORA","name":"FEDORA-2021-b1843407ca","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/"},{"refsource":"FEDORA","name":"FEDORA-2021-2897f5366c","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/"},{"refsource":"FEDORA","name":"FEDORA-2021-b326fcb83f","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/"},{"refsource":"FEDORA","name":"FEDORA-2021-1bb399a5af","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/"},{"refsource":"FEDORA","name":"FEDORA-2021-ef83e8525a","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/"},{"refsource":"FEDORA","name":"FEDORA-2021-b76ede8f4d","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/"},{"refsource":"FEDORA","name":"FEDORA-2021-309bc2e727","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/"},{"refsource":"FEDORA","name":"FEDORA-2021-5a09621ebb","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/"},{"refsource":"FEDORA","name":"FEDORA-2021-e22bb0e548","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/"},{"refsource":"FEDORA","name":"FEDORA-2021-e525e48886","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20210405 [SECURITY] [DLA 2619-1] python3.5 security update","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20210417 [SECURITY] [DLA 2628-1] python2.7 security update","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html"},{"refsource":"FEDORA","name":"FEDORA-2021-b6b6093b3a","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/"},{"refsource":"GENTOO","name":"GLSA-202104-04","url":"https://security.gentoo.org/glsa/202104-04"},{"refsource":"MLIST","name":"[airflow-users] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL","url":"https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E"},{"refsource":"MLIST","name":"[oss-security] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL","url":"http://www.openwall.com/lists/oss-security/2021/05/01/2"},{"refsource":"MLIST","name":"[announce] 20210501 Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL","url":"https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E"},{"refsource":"FEDORA","name":"FEDORA-2021-98720f3785","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/"},{"refsource":"FEDORA","name":"FEDORA-2021-12df7f7382","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/"},{"url":"https://www.oracle.com/security-alerts/cpuApr2021.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20210326-0004/","url":"https://security.netapp.com/advisory/ntap-20210326-0004/"},{"url":"https://www.oracle.com//security-alerts/cpujul2021.html","refsource":"MISC","name":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"url":"https://www.oracle.com/security-alerts/cpuoct2021.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"url":"https://www.oracle.com/security-alerts/cpujan2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update","url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"}]},"description":{"description_data":[{"lang":"eng","value":"The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter."}]},"impact":{"cvss":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H/E:P/RL:U/RC:C","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"HIGH"}},"credit":[{"lang":"eng","value":"Snyk Security Team"}]},"nvd":{"publishedDate":"2021-02-15 13:15:00","lastModifiedDate":"2023-11-07 03:30:00","problem_types":["CWE-444"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"HIGH","baseScore":5.9,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.6,"impactScore":4.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:H/Au:N/C:N/I:P/A:P","accessVector":"NETWORK","accessComplexity":"HIGH","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":4},"severity":"MEDIUM","exploitabilityScore":4.9,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9.0","versionEndExcluding":"3.9.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8.0","versionEndExcluding":"3.8.8","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*","versionStartIncluding":"3.7.0","versionEndExcluding":"3.7.10","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*","versionEndExcluding":"3.6.13","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:inventory_collect_tool:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1","versionEndExcluding":"3.1.7","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"3.0.13","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"2.2","versionEndExcluding":"2.2.19","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:oracle:zfs_storage_appliance:8.8:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"23336","Ordinal":"198063","Title":"CVE-2021-23336","CVE":"CVE-2021-23336","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"23336","Ordinal":"1","NoteData":"The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"23336","Ordinal":"2","NoteData":"2021-02-15","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"23336","Ordinal":"3","NoteData":"2022-02-07","Type":"Other","Title":"Modified"}]}}}