Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.9
CVSSv3

CVE-2021-23336

Published: 15/02/2021 Updated: 07/11/2023
CVSS v2 Base Score: 4 | Impact Score: 4.9 | Exploitability Score: 4.9
CVSS v3 Base Score: 5.9 | Impact Score: 4.2 | Exploitability Score: 1.6
VMScore: 357
Vector: AV:N/AC:H/Au:N/C:N/I:P/A:P
Subscribe to Python

Vulnerability Summary

The package python/cpython from 0 and prior to 3.6.13, from 3.7.0 and prior to 3.7.10, from 3.8.0 and prior to 3.8.8, from 3.9.0 and prior to 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

python python

fedoraproject fedora 32

fedoraproject fedora 33

fedoraproject fedora 34

debian debian linux 9.0

netapp cloud backup -

netapp snapcenter -

netapp ontap select deploy administration utility -

netapp inventory collect tool -

djangoproject django

oracle zfs storage appliance 8.8

oracle enterprise manager ops center 12.4.0.0

oracle communications offline mediation controller 12.0.0.3.0

oracle communications pricing design center 12.0.0.3.0

Vendor Advisories

Debian CVElist Bug Report Logs: python-django: CVE-2021-23336
Debian Bug report logs - #983090 python-django: CVE-2021-23336 Package: python-django; Maintainer for python-django is Debian Python Team <team+python@trackerdebianorg>; Source for python-django is src:python-django (PTS, buildd, popcon) Reported by: "Chris Lamb" <lamby@debianorg> Date: Fri, 19 Feb 2021 09:21:02 U ...
Amazon Linux 2: ALAS2-2022-1802
In Python3's Lib/test/multibytecodec_supportpy CJK codec tests call eval() on content retrieved via HTTP (CVE-2020-27619) The package python/cpython is vulnerable to Web Cache Poisoning via urllibparseparse_qsl and urllibparseparse_qs by using a vector called parameter cloaking When the attacker can separate query parameters using a semicolo ...
Amazon Linux AMI: ALAS-2021-1498
The package python/cpython is vulnerable to Web Cache Poisoning via urllibparseparse_qsl and urllibparseparse_qs by using a vector called parameter cloaking When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuratio ...
Amazon Linux AMI: ALAS-2021-1504
The package python/cpython is vulnerable to Web Cache Poisoning via urllibparseparse_qsl and urllibparseparse_qs by using a vector called parameter cloaking When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuratio ...
Amazon Linux AMI: ALAS-2022-1593
In Python3's Lib/test/multibytecodec_supportpy CJK codec tests call eval() on content retrieved via HTTP (CVE-2020-27619) The package python/cpython is vulnerable to Web Cache Poisoning via urllibparseparse_qsl and urllibparseparse_qs by using a vector called parameter cloaking When the attacker can separate query parameters using a semicolo ...
Arch Linux Issues:
The package python/cpython from 0 and before 3613, from 370 and before 3710, from 380 and before 388, from 390 and before 392 are vulnerable to Web Cache Poisoning via urllibparseparse_qsl and urllibparseparse_qs by using a vector called parameter cloaking When the attacker can separate query parameters using a semicolon (;), the ...

ICS Advisories

https://ics-cert.us-cert.gov/advisories/fd87a3fc00e025fdc5034360097d2bdf
Critical Infrastructure Sectors: Critical Manufacturing

References

CWE-444https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933https://github.com/python/cpython/pull/24297https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/http://www.openwall.com/lists/oss-security/2021/02/19/4https://lists.debian.org/debian-lts-announce/2021/02/msg00030.htmlhttps://security.netapp.com/advisory/ntap-20210326-0004/https://lists.debian.org/debian-lts-announce/2021/04/msg00005.htmlhttps://lists.debian.org/debian-lts-announce/2021/04/msg00015.htmlhttps://security.gentoo.org/glsa/202104-04http://www.openwall.com/lists/oss-security/2021/05/01/2https://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://www.oracle.com/security-alerts/cpujan2022.htmlhttps://lists.debian.org/debian-lts-announce/2023/09/msg00022.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3Ehttps://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983090https://nvd.nist.govhttps://www.cisa.gov/news-events/ics-advisories/icsa-23-348-10https://alas.aws.amazon.com/AL2/ALAS-2022-1802.html
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27322CVE-2006-4304wirelessCVE-2023-23022local file inclusionCVE-2024-27058CVE-2024-33820open redirectCVE-2024-27079
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook