CVE-2021-23336

15.02.2021, 13:15

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

HTTP Request/Response Smuggling

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
snyk	CNA	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H/E:P/RL:U/RC:C
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 54%

Vendor	Product	Version
python	python	𝑥 < 3.6.13
python	python	3.7.0 ≤ 𝑥 < 3.7.10
python	python	3.8.0 ≤ 𝑥 < 3.8.8
python	python	3.9.0 ≤ 𝑥 < 3.9.2
debian	debian_linux	9.0
netapp	cloud_backup	-
netapp	inventory_collect_tool	-
netapp	ontap_select_deploy_administration_utility	-
netapp	snapcenter	-
djangoproject	django	2.2 ≤ 𝑥 < 2.2.19
djangoproject	django	3.0 ≤ 𝑥 < 3.0.13
djangoproject	django	3.1 ≤ 𝑥 < 3.1.7
oracle	communications_offline_mediation_controller	12.0.0.3.0
oracle	communications_pricing_design_center	12.0.0.3.0
oracle	enterprise_manager_ops_center	12.4.0.0
oracle	zfs_storage_appliance	8.8

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

pypy3

bullseye (security)	7.3.5+dfsg-2+deb11u2 fixed
bullseye	7.3.5+dfsg-2+deb11u2 fixed
buster	no-dsa
bookworm	7.3.11+dfsg-2+deb12u2 fixed
sid	7.3.17+dfsg-2 fixed
trixie	7.3.17+dfsg-2 fixed

python-django

bullseye (security)	2:2.2.28-1~deb11u2 fixed
bullseye	2:2.2.28-1~deb11u2 fixed
buster	no-dsa
bookworm	3:3.2.19-1+deb12u1 fixed
bookworm (security)	3:3.2.19-1+deb12u1 fixed
sid	3:4.2.16-1 fixed
trixie	3:4.2.16-1 fixed

python2.7

bullseye	2.7.18-8+deb11u1 fixed
buster	no-dsa

python3.9

bullseye	3.9.2-1 fixed
buster	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

python-django

noble	Fixed 2.2.19-1 released
mantic	Fixed 2.2.19-1 released
lunar	Fixed 2.2.19-1 released
kinetic	Fixed 2.2.19-1 released
jammy	Fixed 2.2.19-1 released
impish	Fixed 2.2.19-1 released
hirsute	Fixed 2.2.19-1 released
groovy	Fixed 2:2.2.16-1ubuntu0.2 released
focal	Fixed 2:2.2.12-1ubuntu0.4 released
bionic	Fixed 1:1.11.11-1ubuntu1.11 released
xenial	not-affected
trusty	not-affected

python2.7

noble	dne
mantic	dne
lunar	dne
kinetic	ignored
jammy	ignored
impish	ignored
hirsute	ignored
groovy	ignored
focal	ignored
bionic	ignored
xenial	ignored
trusty	ignored

python3.4

noble	dne
mantic	dne
lunar	dne
kinetic	dne
jammy	dne
impish	dne
hirsute	dne
groovy	dne
focal	dne
bionic	dne
xenial	dne
trusty	ignored

python3.5

noble	dne
mantic	dne
lunar	dne
kinetic	dne
jammy	dne
impish	dne
hirsute	dne
groovy	dne
focal	dne
bionic	dne
xenial	ignored
trusty	ignored

python3.6

noble	dne
mantic	dne
lunar	dne
kinetic	dne
jammy	dne
impish	dne
hirsute	dne
groovy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

python3.7

noble	dne
mantic	dne
lunar	dne
kinetic	dne
jammy	dne
impish	dne
hirsute	dne
groovy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

python3.8

noble	dne
mantic	dne
lunar	dne
kinetic	dne
jammy	dne
impish	dne
hirsute	dne
groovy	ignored
focal	ignored
bionic	ignored
xenial	dne
trusty	dne

python3.9

noble	dne
mantic	dne
lunar	dne
kinetic	dne
jammy	dne
impish	not-affected
hirsute	not-affected
groovy	Fixed 3.9.5-3~20.10.1 released
focal	Fixed 3.9.5-3~20.04.1 released
bionic	dne
xenial	dne
trusty	dne