CVE-2021-23336

CWE-444 — HTTP Request Smuggling CWE-79 — Cross-site Scripting (XSS)9 documents9 sources

Severity

5.9MEDIUM

EPSS

0.3%

top 46.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Cpython Djangoproject Django Python Python +6 more

Timeline

PublishedFeb 15

Latest updateFeb 8

Description

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result i…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:HExploitability: 1.6 | Impact: 4.2

Affected Packages11 packages

▶CVEListV5python/cpythonunspecified — 3.6.13+7

▶NVDpython/python3.7.0 — 3.7.10+3

▶Debianpython2.7< 2.7.18-8+deb11u1

▶Debianpython3.9< 3.9.2-1

▶Debianpython-django< 2:2.2.19-1+3

Also affects: Debian Linux 9.0, Fedora 32, 33, 34

Patches

Patch: www.openwall.com ↗Patch: github.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')↗2022-02-08

▶

GHSA

Cross-site Scripting in Apache Airflow↗2021-06-18

▶

OSV

CVE-2021-23336: The package python/cpython from 0 and before 3↗2021-02-15

▶

CVEList

Web Cache Poisoning↗2021-02-15

▶

📋Vendor Advisories

Ubuntu

Django vulnerability↗2021-02-22

▶

Red Hat

python: Web cache poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a semicolon in query parameters↗2021-02-13

▶

Microsoft

Web Cache Poisoning↗2021-02-09

▶

Debian

CVE-2021-23336: pypy3 - The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.1...↗2021

▶