CVE-2021-28861Open Redirect in Python

CWE-601Open Redirect15 documents10 sources
Severity
7.4HIGHNVD
NVD6.1OSV7.6
EPSS
1.4%
top 19.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Ericsson CodecheckerPythonFedoraproject Fedora
Timeline
PublishedAug 23
Latest updateMar 3

Description

Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:NExploitability: 2.8 | Impact: 4.0

Affected Packages4 packages

NVDpython/python3.0.03.7.14+4
NVDericsson/codechecker< 6.24.6
PyPIericsson/codechecker< 6.24.6
CVEListV5ericsson/codechecker6.24.5

Also affects: Fedora 35, 36, 37

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

7
GHSA
CodeChecker open redirect when URL contains multiple slashes after the product name2025-03-03
OSV
CodeChecker open redirect when URL contains multiple slashes after the product name2025-03-03
CVEList
Open redirect in CodeChecker web server2025-02-28
OSV
python3.9 vulnerabilities2023-02-27
GHSA
GHSA-h7f6-hc46-frrv: Python 32022-08-24

📋Vendor Advisories

6
Oracle
Oracle Oracle Analytics Risk Matrix: Data Visualization (Python) — CVE-2021-288612024-04-15
Ubuntu
Python vulnerabilities2023-02-27
Ubuntu
Python vulnerability2022-09-22
Red Hat
python: open redirection vulnerability in lib/http/server.py may lead to information disclosure2022-08-22
Microsoft
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NO2022-08-09
CVE-2021-28861 — Open Redirect in Python | cvebase