CVE-2021-28861

high

Description

** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."

References

https://github.com/python/cpython/pull/93879

https://bugs.python.org/issue43223

https://github.com/python/cpython/pull/24848

https://lists.fedoraproject.org/archives/list/[email protected]/message/OKYE2DOI2X7WZXAWTQJZAXYIWM37HDCY/

https://lists.fedoraproject.org/archives/list/[email protected]/message/5LTSPFIULY2GZJN3QYNFVM4JSU6H4D6J/

https://lists.fedoraproject.org/archives/list/[email protected]/message/DISZAFSIQ7IAPAEQTC7G2Z5QUA2V2PSW/

https://lists.fedoraproject.org/archives/list/[email protected]/message/S7G66SRWUM36ENQ3X6LAIG7HAB27D4XJ/

https://lists.fedoraproject.org/archives/list/[email protected]/message/QLE5INSVJUZJGY5OJXV6JREXWD7UDHYN/

https://lists.fedoraproject.org/archives/list/[email protected]/message/HPX4XHT2FGVQYLY2STT2MRVENILNZTTU/

https://lists.fedoraproject.org/archives/list/[email protected]/message/KRGKPYA5YHIXQAMRIXO5DSCX7D4UUW4Q/

https://lists.fedoraproject.org/archives/list/[email protected]/message/X46T4EFTIBXZRYTGASBDEZGYJINH2OWV/

https://lists.fedoraproject.org/archives/list/[email protected]/message/I3MQT5ZE3QH5PVDJMERTBOCILHK35CBE/

https://lists.fedoraproject.org/archives/list/[email protected]/message/2TRINJE3INWDVIHIABW4L2NP3RUSK7BJ/

https://lists.fedoraproject.org/archives/list/[email protected]/message/WXF6MQ74HVIDDSR5AE2UDR24I6D4FEPC/

https://lists.fedoraproject.org/archives/list/[email protected]/message/5OABQ5CMPQETJLFHROAXDIDXCMDTNVYG/

https://lists.fedoraproject.org/archives/list/[email protected]/message/TZEPOPUFC42KXXSLFPZ47ZZRGPOR7SQE/

https://lists.fedoraproject.org/archives/list/[email protected]/message/IFGV7P2PYFBMK32OKHCAC2ZPJQV5AUDF/

Details

Source: MITRE

Published: 2022-08-23

Updated: 2022-12-09

Type: CWE-601