Detections
Analytics

TencentOS Server 3: python38 (TSSA-2022:0192)

high Nessus Plugin ID 239882

Synopsis

The remote TencentOS Server 3 host is missing one or more security updates.

Description

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2022:0192 advisory.

 Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

 CVE-2021-3426:
 There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.

 CVE-2021-3733:
 There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.

 CVE-2021-3737:
 A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.

 CVE-2021-29921:
 In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://mirrors.tencent.com/tlinux/errata/tssa-20220192.xml

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3426

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3733

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3737

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29921

Plugin Details

Severity: High

ID: 239882

File Name: tencentos_TSSA_2022_0192.nasl

Version: 1.1

Type: local

Published: 6/16/2025

Updated: 6/16/2025

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/o:tencent:tencentos_server:3, p-cpe:/a:tencent:tencentos_server:python38

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/etc/os-release, Host/TencentOS/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 11/25/2022

Vulnerability Publication Date: 11/25/2022