https://github.com/python/cpython/pull/25099

https://sick.codes/sick-2021-014

https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html

https://github.com/sickcodes

https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md

https://github.com/python/cpython/pull/12577

https://docs.python.org/3/library/ipaddress.html

https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst

https://bugs.python.org/issue36384

https://security.netapp.com/advisory/ntap-20210622-0003/

https://www.oracle.com/security-alerts/cpuoct2021.html

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-4162 advisory.

  - The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before     3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and     urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query     parameters using a semicolon (;), they can cause a difference in the interpretation of the request between     the proxy (running with default configuration) and the server. This can result in malicious requests being     cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and     therefore would not include it in a cache key of an unkeyed parameter. (CVE-2021-23336)

  - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by     its CNA. Notes: none. (CVE-2021-20095)

  - psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount     mishandling within a while or for loop that converts system data into a Python object. (CVE-2019-18874)

  - Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing     serialized Python objects) via directory traversal, leading to code execution. (CVE-2021-42771)

  - A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote     attacker could possibly use this issue to install a different revision on a repository. The highest threat     from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. (CVE-2021-3572)

  - This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the     `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most     exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format     user content instead of the urlize filter, or by implementing request timeouts and limiting process     memory. (CVE-2020-28493)

  - An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling     the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute     allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS     code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
    (CVE-2021-28957)

  - In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP     address string. This (in some situations) allows attackers to bypass access control that is based on IP     addresses. (CVE-2021-29921)

  - There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince     another local or adjacent user to start a pydoc server could access the server and use it to disclose     sensitive information belonging to the other user that they would not normally be able to access. The     highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9,     Python versions before 3.9.3 and Python versions before 3.10.0a7. (CVE-2021-3426)

  - An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in     the authority component, the authority regular expression exhibits catastrophic backtracking, causing a     denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
    (CVE-2021-33503)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-4160 advisory.

  - python: urllib: Regular expression DoS in AbstractBasicAuthHandler (CVE-2021-3733)

  - A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote     attacker could possibly use this issue to install a different revision on a repository. The highest threat     from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. (CVE-2021-3572)

  - There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince     another local or adjacent user to start a pydoc server could access the server and use it to disclose     sensitive information belonging to the other user that they would not normally be able to access. The     highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9,     Python versions before 3.9.3 and Python versions before 3.10.0a7. (CVE-2021-3426)

  - An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling     the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute     allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS     code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
    (CVE-2021-28957)

  - An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in     the authority component, the authority regular expression exhibits catastrophic backtracking, causing a     denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
    (CVE-2021-33503)

  - python: urllib: HTTP client possible infinite loop on a 100 Continue response (CVE-2021-3737)

  - In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP     address string. This (in some situations) allows attackers to bypass access control that is based on IP     addresses. (CVE-2021-29921)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4160 advisory.

  - python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS (CVE-2021-28957)

  - python-ipaddress: Improper input validation of octal strings (CVE-2021-29921)

  - python-urllib3: ReDoS in the parsing of authority part of URL (CVE-2021-33503)

  - python: Information disclosure via pydoc (CVE-2021-3426)

  - python-pip: Incorrect handling of unicode separators in git references (CVE-2021-3572)

  - python: urllib: Regular expression DoS in AbstractBasicAuthHandler (CVE-2021-3733)

  - python: urllib: HTTP client possible infinite loop on a 100 Continue response (CVE-2021-3737)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4162 advisory.

  - python-psutil: Double free because of refcount mishandling (CVE-2019-18874)

  - python-jinja2: ReDoS vulnerability in the urlize filter (CVE-2020-28493)

  - CVE-2021-42771 python-babel: Relative path traversal allows attacker to load arbitrary locale files and     execute arbitrary code (CVE-2021-20095)

  - python: Web cache poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a semicolon in     query parameters (CVE-2021-23336)

  - python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS (CVE-2021-28957)

  - python-ipaddress: Improper input validation of octal strings (CVE-2021-29921)

  - python-urllib3: ReDoS in the parsing of authority part of URL (CVE-2021-33503)

  - python: Information disclosure via pydoc (CVE-2021-3426)

  - python-pip: Incorrect handling of unicode separators in git references (CVE-2021-3572)

  - CVE-2021-20095  python-babel: Relative path traversal allows attacker to load arbitrary locale files and     execute arbitrary code (CVE-2021-42771)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:4162 advisory.

  - python-psutil: Double free because of refcount mishandling (CVE-2019-18874)

  - python-jinja2: ReDoS vulnerability in the urlize filter (CVE-2020-28493)

  - CVE-2021-42771 python-babel: Relative path traversal allows attacker to load arbitrary locale files and     execute arbitrary code (CVE-2021-20095)

  - python: Web cache poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a semicolon in     query parameters (CVE-2021-23336)

  - python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS (CVE-2021-28957)

  - python-ipaddress: Improper input validation of octal strings (CVE-2021-29921)

  - python-urllib3: ReDoS in the parsing of authority part of URL (CVE-2021-33503)

  - python: Information disclosure via pydoc (CVE-2021-3426)

  - python-pip: Incorrect handling of unicode separators in git references (CVE-2021-3572)

  - CVE-2021-20095  python-babel: Relative path traversal allows attacker to load arbitrary locale files and     execute arbitrary code (CVE-2021-42771)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:4160 advisory.

  - python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS (CVE-2021-28957)

  - python-ipaddress: Improper input validation of octal strings (CVE-2021-29921)

  - python-urllib3: ReDoS in the parsing of authority part of URL (CVE-2021-33503)

  - python: Information disclosure via pydoc (CVE-2021-3426)

  - python-pip: Incorrect handling of unicode separators in git references (CVE-2021-3572)

  - python: urllib: Regular expression DoS in AbstractBasicAuthHandler (CVE-2021-3733)

  - python: urllib: HTTP client possible infinite loop on a 100 Continue response (CVE-2021-3737)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2021 CPU advisory.

  - Vulnerability in the Zero Downtime DB Migration to Cloud component of Oracle Database Server. The     supported version that is affected is 21c. Easily exploitable vulnerability allows high privileged     attacker having Local Logon privilege with logon to the infrastructure where Zero Downtime DB Migration to     Cloud executes to compromise Zero Downtime DB Migration to Cloud. While the vulnerability is in Zero     Downtime DB Migration to Cloud, attacks may significantly impact additional products. Successful attacks     of this vulnerability can result in takeover of Zero Downtime DB Migration to Cloud. (CVE-2021-35599)

  - Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are     12.1.0.2, 12.2.0.1, 19c and 21c. Difficult to exploit vulnerability allows low privileged attacker having     Create Procedure privilege with network access via Oracle Net to compromise Java VM. Successful attacks     require human interaction from a person other than the attacker. Successful attacks of this vulnerability     can result in takeover of Java VM. (CVE-2021-35619)

  - Vulnerability in the Oracle LogMiner component of Oracle Database Server. Supported versions that are     affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker     having DBA privilege with network access via Oracle Net to compromise Oracle LogMiner. Successful attacks     of this vulnerability can result in unauthorized creation, deletion or modification access to critical     data or all Oracle LogMiner accessible data as well as unauthorized read access to a subset of Oracle     LogMiner accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete     DOS) of Oracle LogMiner. (CVE-2021-2332)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-4973-2 advisory.

  - In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP     address string. This (in some situations) allows attackers to bypass access control that is based on IP     addresses. (CVE-2021-29921)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:2940-1 advisory.

  - In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP     address string. This (in some situations) allows attackers to bypass access control that is based on IP     addresses. (CVE-2021-29921)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2021:2940-1 advisory.

  - In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP     address string. This (in some situations) allows attackers to bypass access control that is based on IP     addresses. (CVE-2021-29921)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3254 advisory.

  - python-cryptography: Bleichenbacher timing oracle attack against RSA decryption (CVE-2020-25659)

  - python: Unsafe use of eval() on data retrieved via HTTP in the test suite (CVE-2020-27619)

  - python-lxml: mXSS due to the use of improper parser (CVE-2020-27783)

  - python-jinja2: ReDoS vulnerability due to the sub-pattern (CVE-2020-28493)

  - python-cryptography: Large inputs for symmetric encryption can trigger integer overflow leading to buffer     overflow (CVE-2020-36242)

  - python-babel: Relative path traversal allows attacker to load arbitrary locale files and execute arbitrary     code (CVE-2021-20095)

  - python: Web cache poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a semicolon in     query parameters (CVE-2021-23336)

  - python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS (CVE-2021-28957)

  - python-ipaddress: Improper input validation of octal strings (CVE-2021-29921)

  - python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c (CVE-2021-3177)

  - python-urllib3: ReDoS in the parsing of authority part of URL (CVE-2021-33503)

  - python: Information disclosure via pydoc (CVE-2021-3426)

  - python-pip: Incorrect handling of unicode separators in git references (CVE-2021-3572)

  - python: urllib: Regular expression DoS in AbstractBasicAuthHandler (CVE-2021-3733)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 20.10 host has packages installed that are affected by a vulnerability as referenced in the USN-4973-1 advisory.

  - In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP     address string. This (in some situations) allows attackers to bypass access control that is based on IP     addresses. (CVE-2021-29921)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the python3 package has been released.

ID	Name	Product	Family	Severity
155969	Oracle Linux 8 : python38:3.8 / and / python38-devel:3.8 (ELSA-2021-4162)	Nessus	Oracle Linux Local Security Checks	critical
155967	Oracle Linux 8 : python39:3.9 / and / python39-devel:3.9 (ELSA-2021-4160)	Nessus	Oracle Linux Local Security Checks	critical
155200	RHEL 8 : python39:3.9 and python39-devel:3.9 (RHSA-2021:4160)	Nessus	Red Hat Local Security Checks	critical
155193	RHEL 8 : python38:3.8 and python38-devel:3.8 (RHSA-2021:4162)	Nessus	Red Hat Local Security Checks	critical
155064	CentOS 8 : python38:3.8 and python38-devel:3.8 (CESA-2021:4162)	Nessus	CentOS Local Security Checks	critical
155040	CentOS 8 : python39:3.9 and python39-devel:3.9 (CESA-2021:4160)	Nessus	CentOS Local Security Checks	critical
154332	Oracle Database Server Multiple Vulnerabilities (October 2021 CPU)	Nessus	Databases	critical
153852	Ubuntu 20.04 LTS : Python vulnerability (USN-4973-2)	Nessus	Ubuntu Local Security Checks	critical
153002	openSUSE 15 Security Update : python39 (openSUSE-SU-2021:2940-1)	Nessus	SuSE Local Security Checks	critical
152997	SUSE SLED15 / SLES15 Security Update : python39 (SUSE-SU-2021:2940-1)	Nessus	SuSE Local Security Checks	critical
152781	RHEL 7 : rh-python38 (RHSA-2021:3254)	Nessus	Red Hat Local Security Checks	critical
150132	Ubuntu 20.04 LTS / 20.10 : Python vulnerability (USN-4973-1)	Nessus	Ubuntu Local Security Checks	critical
149825	Photon OS 4.0: Python3 PHSA-2021-4.0-0028	Nessus	PhotonOS Local Security Checks	critical

CVE-2021-29921

critical

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical