CVE-2011-1521Synchronous Access of Remote Resource without Timeout in Python-django

CWE-399CWE-1088Synchronous Access of Remote Resource without Timeout17 documents8 sources
Severity
6.4MEDIUMNVD
NVD5.0
EPSS
1.4%
top 19.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Djangoproject DjangoDebian Python-djangoDebian Python2.7+1 more
Timeline
PublishedMay 24
Latest updateMay 13

Description

The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.

CVSS vector

AV:N/AC:L/C:P/I:N/A:PExploitability: 10.0 | Impact: 4.9

Affected Packages5 packages

debiandebian/python2.7< python2.7 2.7.1-7 (bullseye)
debiandebian/python-django< python-django 1.3.1-1 (bookworm)
NVDpython/python38 versions+37
PyPIdjangoproject/django1.31.3.1+1
NVDdjangoproject/django1.2.6+18

Patches

Patch: bugs.python.orgPatch: hg.python.orgPatch: hg.python.org

🔴Vulnerability Details

5
GHSA
GHSA-cq22-fw8f-mvcw: The urllib and urllib2 modules in Python 22022-05-13
GHSA
Denial of service in django2018-07-23
OSV
Denial of service in django2018-07-23
OSV
CVE-2011-4137: The verify_exists functionality in the URLField implementation in Django before 12011-10-19
OSV
CVE-2011-1521: The urllib and urllib2 modules in Python 22011-05-24

📋Vendor Advisories

8
Ubuntu
Python 2.5 vulnerabilities2012-10-17
Ubuntu
Python 2.4 vulnerabilities2012-10-17
Ubuntu
Python 2.6 vulnerabilities2012-10-04
Ubuntu
Python 2.7 vulnerabilities2012-10-02
Ubuntu
Python 3 vulnerabilities2011-12-19

💬Community

2
Bugzilla
CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws2011-09-11
Bugzilla
CVE-2011-1521 python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes (Issue #11662)2011-03-24