cbcvebase.
CVE-2021-28861
published 2022-08-23

CVE-2021-28861: Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path…

PriorityP338high7.4CVSS 3.1
AVNACLPRNUIRSCCHINAN
EPSS
1.99%
78.2th percentile
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."

Affected

17 ranges
VendorProductVersion rangeFixed in
debianpypy3< pypy3 7.3.10+dfsg-1 (bookworm)pypy3 7.3.10+dfsg-1 (bookworm)
debianpython2.7< pypy3 7.3.10+dfsg-1 (bookworm)pypy3 7.3.10+dfsg-1 (bookworm)
debianpython3.11< pypy3 7.3.10+dfsg-1 (bookworm)pypy3 7.3.10+dfsg-1 (bookworm)
debianpython3.9< pypy3 7.3.10+dfsg-1 (bookworm)pypy3 7.3.10+dfsg-1 (bookworm)
ericssoncodechecker< 6.24.66.24.6
ericssoncodechecker<= 6.24.5
ericssoncodechecker>= 0 < 6.24.66.24.6
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
msrccbl2_python3_3.9.19-1_on_cbl_mariner_2.0
msrccm1_python3_3.7.13-3_on_cbl_mariner_1.0
pythonpython
pythonpython>= 3.0.0 < 3.7.143.7.14
pythonpython>= 3.10.0 < 3.10.63.10.6
pythonpython>= 3.8.0 < 3.8.143.8.14
pythonpython>= 3.9.0 < 3.9.143.9.14

CVSS provenance

nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
ghsa7.4HIGH
osv7.6HIGH
vendor_ubuntu7.6HIGH
vendor_debian7.4LOW
vendor_msrc7.4HIGH
vendor_oracle7.4HIGH
vendor_redhat7.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.