CVE-2021-28861
published 2022-08-23CVE-2021-28861: Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path…
PriorityP338high7.4CVSS 3.1
AVNACLPRNUIRSCCHINAN
EPSS
1.99%
78.2th percentile
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | pypy3 | < pypy3 7.3.10+dfsg-1 (bookworm) | pypy3 7.3.10+dfsg-1 (bookworm) |
| debian | python2.7 | < pypy3 7.3.10+dfsg-1 (bookworm) | pypy3 7.3.10+dfsg-1 (bookworm) |
| debian | python3.11 | < pypy3 7.3.10+dfsg-1 (bookworm) | pypy3 7.3.10+dfsg-1 (bookworm) |
| debian | python3.9 | < pypy3 7.3.10+dfsg-1 (bookworm) | pypy3 7.3.10+dfsg-1 (bookworm) |
| ericsson | codechecker | < 6.24.6 | 6.24.6 |
| ericsson | codechecker | <= 6.24.5 | — |
| ericsson | codechecker | >= 0 < 6.24.6 | 6.24.6 |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | cbl2_python3_3.9.19-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_python3_3.7.13-3_on_cbl_mariner_1.0 | — | — |
| python | python | — | — |
| python | python | >= 3.0.0 < 3.7.14 | 3.7.14 |
| python | python | >= 3.10.0 < 3.10.6 | 3.10.6 |
| python | python | >= 3.8.0 < 3.8.14 | 3.8.14 |
| python | python | >= 3.9.0 < 3.9.14 | 3.9.14 |
CVSS provenance
nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
ghsa7.4HIGH
osv7.6HIGH
vendor_ubuntu7.6HIGH
vendor_debian7.4LOW
vendor_msrc7.4HIGH
vendor_oracle7.4HIGH
vendor_redhat7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
CodeChecker open redirect when URL contains multiple slashes after the product name
ghsa·2025-03-03·CVSS 7.4
CVE-2025-1300 [HIGH] CWE-601 CodeChecker open redirect when URL contains multiple slashes after the product name
CodeChecker open redirect when URL contains multiple slashes after the product name
Summary
---
CodeChecker versions up to 6.24.5 contain an open redirect vulnerability due to missing protections against multiple slashes after the product name in the URL's path segment. This results in bypassing protections against CVE-2021-28861, leading to the same open redirect pathway.
Details
---
CodeChecker processes GET requests by first rewriting the path segment of the URL, and then passing the rewritten URL to the webserver framework.
When trimming the product name from the URL, no sanitization was performed on the remaining URL, which reintroduced the same issue as CVE-2021-28861, leading to the same open redirect pathway using URLs such as `/Default//attacker.com/%2f..`.
Impact
---
The vu
OSV
CodeChecker open redirect when URL contains multiple slashes after the product name
osv·2025-03-03·CVSS 7.4
CVE-2025-1300 [HIGH] CodeChecker open redirect when URL contains multiple slashes after the product name
CodeChecker open redirect when URL contains multiple slashes after the product name
Summary
---
CodeChecker versions up to 6.24.5 contain an open redirect vulnerability due to missing protections against multiple slashes after the product name in the URL's path segment. This results in bypassing protections against CVE-2021-28861, leading to the same open redirect pathway.
Details
---
CodeChecker processes GET requests by first rewriting the path segment of the URL, and then passing the rewritten URL to the webserver framework.
When trimming the product name from the URL, no sanitization was performed on the remaining URL, which reintroduced the same issue as CVE-2021-28861, leading to the same open redirect pathway using URLs such as `/Default//attacker.com/%2f..`.
Impact
---
The vu
OSV
python3.9 vulnerabilities
osv·2023-02-27·CVSS 7.6
CVE-2015-20107 [HIGH] python3.9 vulnerabilities
python3.9 vulnerabilities
It was discovered that Python incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially
crafted input file, a remote attacker could possibly use this issue to
execute arbitrary code. (CVE-2015-20107)
Hamza Avvan discovered that Python incorrectly handled certain inputs. If a
user or an automated system were tricked into running a specially
crafted input, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2021-28861)
It was discovered that Python incorrectly handled certain inputs. If a
user or an automated system were tricked into running a specially
crafted input, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2022-37454, CVE-2022-42919)
It was disco
GHSA
GHSA-h7f6-hc46-frrv: Python 3
ghsa_unreviewed·2022-08-24
CVE-2021-28861 [HIGH] CWE-601 GHSA-h7f6-hc46-frrv: Python 3
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure.
OSV
CVE-2021-28861: Python 3
osv·2022-08-23·CVSS 7.4
CVE-2021-28861 [HIGH] CVE-2021-28861: Python 3
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
Oracle
Oracle Oracle Analytics Risk Matrix: Data Visualization (Python) — CVE-2021-28861
vendor_oracle·2024-04-15·CVSS 7.4
CVE-2021-28861 [HIGH] Oracle Oracle Analytics Risk Matrix: Data Visualization (Python) — CVE-2021-28861
Oracle Oracle Analytics Risk Matrix: Data Visualization (Python) vulnerability
CVE: CVE-2021-28861
CVSS: 7.4
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2024 (APR 2024)
Ubuntu
Python vulnerabilities
vendor_ubuntu·2023-02-27·CVSS 7.6
CVE-2022-42919 [HIGH] Python vulnerabilities
Title: Python vulnerabilities
Summary: Several security issues were fixed in Python.
It was discovered that Python incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially
crafted input file, a remote attacker could possibly use this issue to
execute arbitrary code. (CVE-2015-20107)
Hamza Avvan discovered that Python incorrectly handled certain inputs. If a
user or an automated system were tricked into running a specially
crafted input, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2021-28861)
It was discovered that Python incorrectly handled certain inputs. If a
user or an automated system were tricked into running a specially
crafted input, a remote attacker could possibly use this issue to execute
ar
Ubuntu
Python vulnerability
vendor_ubuntu·2022-09-22
CVE-2021-28861 Python vulnerability
Title: Python vulnerability
Summary: Python could be made to redirect web traffic if its http.server
received a specially crafted request.
It was discovered that the Python http.server module incorrectly handled
certain URIs. An attacker could potentially use this to redirect web traffic.
Instructions: After a standard system update you need to restart the python3 http.server
to make all the necessary changes.
Red Hat
python: open redirection vulnerability in lib/http/server.py may lead to information disclosure
vendor_redhat·2022-08-22·CVSS 7.4
CVE-2021-28861 [HIGH] CWE-601 python: open redirection vulnerability in lib/http/server.py may lead to information disclosure
python: open redirection vulnerability in lib/http/server.py may lead to information disclosure
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
A vulnerability was found in python. This security flaw causes an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of the URI path. This issue may lead to information disclosure.
Statement: This vulnerability is rated as a moderate because in Py
Microsoft
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NO
vendor_msrc·2022-08-09·CVSS 7.4
CVE-2021-28861 [HIGH] CWE-601 Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NO
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to
Debian
CVE-2021-28861: pypy3 - Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server...
vendor_debian·2021·CVSS 7.4
CVE-2021-28861 [HIGH] CVE-2021-28861: pypy3 - Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server...
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
Scope: local
bookworm: resolved (fixed in 7.3.10+dfsg-1)
bullseye: resolved (fixed in 7.3.5+dfsg-2+deb11u4)
forky: resolved (fixed in 7.3.10+dfsg-1)
sid: resolved (fixed in 7.3.10+dfsg-1)
trixie: resolved (fixed in 7.3.10+dfsg-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugs.python.org/issue43223https://github.com/python/cpython/pull/24848https://github.com/python/cpython/pull/93879https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2TRINJE3INWDVIHIABW4L2NP3RUSK7BJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5LTSPFIULY2GZJN3QYNFVM4JSU6H4D6J/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5OABQ5CMPQETJLFHROAXDIDXCMDTNVYG/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DISZAFSIQ7IAPAEQTC7G2Z5QUA2V2PSW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPX4XHT2FGVQYLY2STT2MRVENILNZTTU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3MQT5ZE3QH5PVDJMERTBOCILHK35CBE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IFGV7P2PYFBMK32OKHCAC2ZPJQV5AUDF/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KRGKPYA5YHIXQAMRIXO5DSCX7D4UUW4Q/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OKYE2DOI2X7WZXAWTQJZAXYIWM37HDCY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLE5INSVJUZJGY5OJXV6JREXWD7UDHYN/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7G66SRWUM36ENQ3X6LAIG7HAB27D4XJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZEPOPUFC42KXXSLFPZ47ZZRGPOR7SQE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXF6MQ74HVIDDSR5AE2UDR24I6D4FEPC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X46T4EFTIBXZRYTGASBDEZGYJINH2OWV/https://security.gentoo.org/glsa/202305-02https://bugs.python.org/issue43223https://github.com/python/cpython/pull/24848https://github.com/python/cpython/pull/93879https://lists.debian.org/debian-lts-announce/2024/11/msg00024.htmlhttps://lists.debian.org/debian-lts-announce/2024/12/msg00000.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2TRINJE3INWDVIHIABW4L2NP3RUSK7BJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5LTSPFIULY2GZJN3QYNFVM4JSU6H4D6J/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5OABQ5CMPQETJLFHROAXDIDXCMDTNVYG/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DISZAFSIQ7IAPAEQTC7G2Z5QUA2V2PSW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPX4XHT2FGVQYLY2STT2MRVENILNZTTU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3MQT5ZE3QH5PVDJMERTBOCILHK35CBE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IFGV7P2PYFBMK32OKHCAC2ZPJQV5AUDF/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KRGKPYA5YHIXQAMRIXO5DSCX7D4UUW4Q/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OKYE2DOI2X7WZXAWTQJZAXYIWM37HDCY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLE5INSVJUZJGY5OJXV6JREXWD7UDHYN/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7G66SRWUM36ENQ3X6LAIG7HAB27D4XJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZEPOPUFC42KXXSLFPZ47ZZRGPOR7SQE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXF6MQ74HVIDDSR5AE2UDR24I6D4FEPC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X46T4EFTIBXZRYTGASBDEZGYJINH2OWV/https://security.gentoo.org/glsa/202305-02
2022-08-23
Published