Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://python-security.readthedocs.io/vuln/http-server-redirection.html below:

Open Redirection if the URL path starts with // — Python Security 0.0 documentation

This security flaw causes an open redirection vulnerability in Lib/http/server.py due to no protection against multiple (/) at the beginning of the URI path.

Dates:

• Disclosure date: 2021-02-14 (Python issue gh-87389 reported)

• Reported at: 2021-02-14

• Reported by: Hamza Avvan (email to PSRT)

• Python 3.7.14 (2022-09-06) fixed by commit 8a34afd (branch 3.7) (2022-06-22)

• Python 3.8.14 (2022-09-06) fixed by commit 4dc2cae (branch 3.8) (2022-06-22)

• Python 3.9.14 (2022-09-06) fixed by commit defaa2b (branch 3.9) (2022-06-22)

• Python 3.10.6 (2022-08-01) fixed by commit 5715382 (branch 3.10) (2022-06-21)

• Python 3.11.0 (2022-10-24) fixed by commit e2e8847 (branch 3.11) (2022-06-21)

[security] CVE-2021-28861: http.server: Open Redirection if the URL path starts with //.

• Python issue: gh-87389

• Creation date: 2021-02-14

• Reporter: Hamza Avvan

** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states “Warning: http.server is not recommended for production. It only implements basic security checks.”

• CVE ID: CVE-2021-28861

• Published: 2022-08-23

Timeline using the disclosure date 2021-02-14 as reference:

• 2021-02-14: Reported

• 2021-02-14: Python issue gh-87389 reported by Hamza Avvan

• 2022-06-21 (+492 days): commit 4abab6b (branch 3.12)

• 2022-06-21 (+492 days): commit 5715382 (branch 3.10)

• 2022-06-21 (+492 days): commit e2e8847 (branch 3.11)

• 2022-06-22 (+493 days): commit 4dc2cae (branch 3.8)

• 2022-06-22 (+493 days): commit 8a34afd (branch 3.7)

• 2022-06-22 (+493 days): commit defaa2b (branch 3.9)

• 2022-08-01 (+533 days): Python 3.10.6 released

• 2022-08-23 (+555 days): CVE-2021-28861 published

• 2022-09-06 (+569 days): Python 3.7.14 released

• 2022-09-06 (+569 days): Python 3.8.14 released

• 2022-09-06 (+569 days): Python 3.9.14 released

• 2022-10-24: Python 3.11.0 released

• https://access.redhat.com/security/cve/CVE-2021-28861

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4