CVE-2021-3737

Description

A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.

Related CPE's

apythonpython********

apythonpython********

apythonpython********

apythonpython********

oredhatenterprise_linux7.0*******

oredhatenterprise_linux6.0*******

oredhatenterprise_linux8.0*******

oredhatenterprise_linux_for_power_little_endian8.0*******

oredhatenterprise_linux_for_ibm_z_systems8.0*******

aredhatcodeready_linux_builder8.0*******

References

https://github.com/python/cpython/pull/25916

PatchThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1995162

Issue TrackingPatchThird Party Advisory

https://ubuntu.com/security/CVE-2021-3737

PatchThird Party Advisory

https://github.com/python/cpython/pull/26503

PatchThird Party Advisory

https://bugs.python.org/issue44022

ExploitIssue TrackingVendor Advisory

https://python-security.readthedocs.io/vuln/urllib-100-continue-loop.html

PatchThird Party Advisory

https://security.netapp.com/advisory/ntap-20220407-0009/

CvssV3 impact

BaseSeverity

HIGH

ConfidentialityImpact

NONE

AttackComplexity

LOW

Scope

UNCHANGED

AttackVector

NETWORK

AvailabilityImpact

HIGH

IntegrityImpact

NONE

PrivilegesRequired

NONE

BaseScore

7.5

VectorString

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Version

3.1

UserInteraction

NONE

CvssV2 impact

AccessComplexity

MEDIUM

ConfidentialityImpact

NONE

AvailabilityImpact

COMPLETE

IntegrityImpact

NONE

BaseScore

7.1

VectorString

AV:N/AC:M/Au:N/C:N/I:N/A:C

Version

2.0

AccessVector

NETWORK

Authentication

NONE

Created by Yello
About Severity.io