CVE-2011-1521

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.

References

http://bugs.python.org/issue11662

http://hg.python.org/cpython/file/96a6c128822b/Misc/NEWS

http://hg.python.org/cpython/file/b2934d98dac1/Misc/NEWS

http://hg.python.org/cpython/rev/96a6c128822b/

http://hg.python.org/cpython/rev/b2934d98dac1/

http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html

http://openwall.com/lists/oss-security/2011/03/24/5

http://openwall.com/lists/oss-security/2011/03/28/2

http://openwall.com/lists/oss-security/2011/09/11/1

http://openwall.com/lists/oss-security/2011/09/13/2

http://openwall.com/lists/oss-security/2011/09/15/5

http://secunia.com/advisories/50858

http://secunia.com/advisories/51024

http://secunia.com/advisories/51040

http://securitytracker.com/id?1025488

http://support.apple.com/kb/HT5002

http://www.mandriva.com/security/advisories?name=MDVSA-2011:096

http://www.ubuntu.com/usn/USN-1592-1

http://www.ubuntu.com/usn/USN-1596-1

http://www.ubuntu.com/usn/USN-1613-1

http://www.ubuntu.com/usn/USN-1613-2

https://bugzilla.redhat.com/show_bug.cgi?id=690560

https://bugzilla.redhat.com/show_bug.cgi?id=737366

https://www.djangoproject.com/weblog/2011/sep/09/

https://www.djangoproject.com/weblog/2011/sep/10/127/

Details

Source: MITRE

Published: 2011-05-24

Updated: 2019-10-25

Type: CWE-399

Risk Information

CVSS v2

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P

Impact Score: 4.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:python:python:2.0:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.0.1:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.1:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.1.1:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.1.2:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.1.3:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.2:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.2.1:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.2.2:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.2.3:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.3.1:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.3.2:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.3.3:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.3.4:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.3.5:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.3.7:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.4.1:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.4.2:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.4.3:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.4.4:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.4.6:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.5.1:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.5.2:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.5.3:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.5.4:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.6.1:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.6.4:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.6.5:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.6.6:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.6.7:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.7.1:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:python:python:3.0:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.0.1:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.1:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.1.1:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.1.2:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.1.3:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.2:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.2:alpha:*:*:*:*:*:*

Tenable Plugins

View all (30 total)

IDNameProductFamilySeverity
133259SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:0234-1) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
89105VMware ESX / ESXi Service Console and Third-Party Libraries Multiple Vulnerabilities (VMSA-2012-0001) (remote check)NessusMisc.
high
75916openSUSE Security Update : libpython2_6-1_0 (openSUSE-SU-2011:0484-1)NessusSuSE Local Security Checks
medium
75608openSUSE Security Update : libpython2_6-1_0 (openSUSE-SU-2011:0484-1)NessusSuSE Local Security Checks
medium
70881ESXi 5.0 < Build 608089 Multiple Vulnerabilities (remote check)NessusMisc.
high
68271Oracle Linux 5 : python (ELSA-2011-0492)NessusOracle Linux Local Security Checks
medium
68270Oracle Linux 4 : python (ELSA-2011-0491)NessusOracle Linux Local Security Checks
medium
64221SuSE 11.1 Security Update : libpython2_6-1_0, libpython2_6-1_0-32bit, libpython2_6-1_0-x86, python, etc (SAT Patch Number 6310)NessusSuSE Local Security Checks
medium
64220SuSE 11.1 Security Update : libpython2_6-1_0, libpython2_6-1_0-32bit, libpython2_6-1_0-x86, python, etc (SAT Patch Number 6310)NessusSuSE Local Security Checks
medium
62620Ubuntu 8.04 LTS : python2.4 vulnerabilities (USN-1613-2)NessusUbuntu Local Security Checks
medium
62619Ubuntu 8.04 LTS : python2.5 vulnerabilities (USN-1613-1)NessusUbuntu Local Security Checks
medium
62436Ubuntu 10.04 LTS / 11.04 / 11.10 : python2.6 vulnerabilities (USN-1596-1)NessusUbuntu Local Security Checks
medium
62410Ubuntu 11.04 / 11.10 : python2.7 vulnerabilities (USN-1592-1)NessusUbuntu Local Security Checks
medium
61046Scientific Linux Security Update : python on SL6.x i386/x86_64NessusScientific Linux Local Security Checks
medium
61033Scientific Linux Security Update : python on SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
medium
57749VMSA-2012-0001 : VMware ESXi and ESX updates to third-party library and ESX Service ConsoleNessusVMware ESX Local Security Checks
high
57345Ubuntu 10.04 LTS / 10.10 / 11.04 : python3.1, python3.2 vulnerabilities (USN-1314-1)NessusUbuntu Local Security Checks
medium
57248SuSE 10 Security Update : python (ZYPP Patch Number 7506)NessusSuSE Local Security Checks
medium
6039Mac OS X 10.7 < 10.7.2 Multiple VulnerabilitiesNessus Network MonitorGeneric
critical
56481Mac OS X Multiple Vulnerabilities (Security Update 2011-006)NessusMacOS X Local Security Checks
critical
56480Mac OS X 10.7.x < 10.7.2 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
54643SuSE 10 Security Update : python (ZYPP Patch Number 7509)NessusSuSE Local Security Checks
medium
54641SuSE 11.1 Security Update : Python (SAT Patch Number 4512)NessusSuSE Local Security Checks
medium
54611Mandriva Linux Security Advisory : python (MDVSA-2011:096)NessusMandriva Local Security Checks
medium
54592RHEL 6 : python (RHSA-2011:0554)NessusRed Hat Local Security Checks
medium
53885openSUSE Security Update : libpython2_6-1_0 (openSUSE-SU-2011:0484-1)NessusSuSE Local Security Checks
medium
53821RHEL 5 : python (RHSA-2011:0492)NessusRed Hat Local Security Checks
medium
53820RHEL 4 : python (RHSA-2011:0491)NessusRed Hat Local Security Checks
medium
53815CentOS 5 : python (CESA-2011:0492)NessusCentOS Local Security Checks
medium
53814CentOS 4 : python (CESA-2011:0491)NessusCentOS Local Security Checks
medium