QID 375537
Date Published: 2021-05-10
QID 375537: Python Buffer Overflow/Web Cache Poisoning Vulnerability
Python is an interpreted, high-level and general-purpose programming language.
CVE-2021-3177 : A vulnerability in Python 3 may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
Affected Versions:
Python Versions 3.X up to 3.6.12
Python Versions 3.7.0 up to 3.7.9
Python Versions 3.8.0 up to 3.8.7
Python Versions 3.9.0 up to 3.9.1
CVE-2021-23336 : A vulnerability in python may lead to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking.
Affected Versions:
Python Versions 0.X up to 3.6.12
Python Versions 3.7.0 up to 3.7.9
Python Versions 3.8.0 up to 3.8.7
Python Versions 3.9.0 up to 3.9.1
QID Detection Logic(Authenticated):
Detects the installed python version either from py.exe or patchlevel.h file.
Successful exploitation of these vulnerability may allow an attacker to execute arbitrary command on the target system.
Refer to issue trackerCVE-2021-3177 to address this vulnerability and obtain further details.
- CVE-2021-23336 -
bugs.python.org/issue42967 - CVE-2021-3177 -
bugs.python.org/issue42938
CVEs related to QID 375537
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| CVE-2021-23336 |
www.python.org/downloads/release/python-392/ |
||
| CVE-2021-3177 |
www.python.org/downloads/release/python-392/ |