CVE-2021-23336 : The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.1

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

Published 2021-02-15 13:15:12

Updated 2022-03-04 19:13:15

Source Snyk

View at NVD, CVE.org

Products affected by CVE-2021-23336

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Ops Center » Version: 12.4.0.0
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Pricing Design Center » Version: 12.0.0.3.0
cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Zfs Storage Appliance » Version: 8.8
cpe:2.3:o:oracle:zfs_storage_appliance:8.8:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Offline Mediation Controller » Version: 12.0.0.3.0
cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 32
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Backup » Version: N/A
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Matching versions
Netapp » Snapcenter » Version: N/A
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
Matching versions
Netapp » Ontap Select Deploy Administration Utility » Version: N/A
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
Matching versions
Netapp » Inventory Collect Tool » Version: N/A
cpe:2.3:a:netapp:inventory_collect_tool:-:*:*:*:*:*:*:*
Matching versions
Djangoproject » Django
Versions from including (>=) 3.0 and before (<) 3.0.13
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
Matching versions
Djangoproject » Django
Versions from including (>=) 2.2 and before (<) 2.2.19
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
Matching versions
Djangoproject » Django
Versions from including (>=) 3.1 and before (<) 3.1.7
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
Matching versions
Python » Python
Versions from including (>=) 3.8.0 and before (<) 3.8.8
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Matching versions
Python » Python
Versions before (<) 3.6.13
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Matching versions
Python » Python
Versions from including (>=) 3.9.0 and before (<) 3.9.2
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Matching versions
Python » Python
Versions from including (>=) 3.7.0 and before (<) 3.7.10
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2021-23336

Top countries where our scanners detected CVE-2021-23336

Top open port discovered on systems with this issue 80

IPs affected by CVE-2021-23336 411,477

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2021-23336!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2021-23336

EPSS FAQ

0.34%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 55 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-23336

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:H/Au:N/C:N/I:P/A:P	4.9	4.9	NIST
Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: Partial
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H	1.6	4.2	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: Low Availability: High
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H	1.6	4.2	Snyk
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: Low Availability: High

CWE ids for CVE-2021-23336

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-23336

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/

[SECURITY] Fedora 33 Update: python3.7-3.7.10-1.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/

[SECURITY] Fedora 32 Update: mingw-python3-3.8.8-1.fc32 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/

[SECURITY] Fedora 32 Update: python37-3.7.10-1.fc32 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E

Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/

[SECURITY] Fedora 34 Update: python2.7-2.7.18-11.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/

[SECURITY] Fedora 32 Update: python39-3.9.2-1.fc32 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/

Cache poisoning in popular open source packages | Snyk Blog
Technical Description;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/

[SECURITY] Fedora 34 Update: python3.10-3.10.0~a6-1.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html

Oracle Critical Patch Update Advisory - July 2021
Patch;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/

[SECURITY] Fedora 34 Update: mingw-python3-3.9.2-2.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Oracle Critical Patch Update Advisory - January 2022
Patch;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/

[SECURITY] Fedora 32 Update: python3.10-3.10.0~a6-1.fc32 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html

[SECURITY] [DLA 2619-1] python3.5 security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/

[SECURITY] Fedora 32 Update: python36-3.6.13-1.fc32 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/

[SECURITY] Fedora 33 Update: python3.10-3.10.0~a6-1.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/

[SECURITY] Fedora 32 Update: python-django-3.0.13-1.fc32 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/

[SECURITY] Fedora 33 Update: mingw-python3-3.9.2-1.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/01/2

oss-security - CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/

[SECURITY] Fedora 33 Update: python-django-3.0.13-1.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html

Oracle Critical Patch Update Advisory - April 2021
Patch;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20210326-0004/

CVE-2021-23336 Python Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E

Pony Mail!
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/

[SECURITY] Fedora 34 Update: python-django-3.1.7-1.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933

Web Cache Poisoning in python/cpython | Snyk
Exploit;Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/02/19/4

oss-security - Django security releases: CVE-2021-23336: Web cache poisoning via ``django.utils.http.limited_parse_qsl()``
Mailing List;Patch;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/

[SECURITY] Fedora 32 Update: python3-3.8.9-1.fc32 - package-announce - Fedora Mailing-Lists
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E

[jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuoct2021.html

Oracle Critical Patch Update Advisory - October 2021
Patch;Third Party Advisory

CVEs referencing this url
https://github.com/python/cpython/pull/24297

bpo-42967: only use '&' as a query string separator by AdamGold · Pull Request #24297 · python/cpython · GitHub
Patch;Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html

[SECURITY] [DLA 2569-1] python-django security update
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/

[SECURITY] Fedora 33 Update: python3.9-3.9.2-1.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/

[SECURITY] Fedora 33 Update: python3.6-3.6.13-1.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/202104-04

Python: Multiple vulnerabilities (GLSA 202104-04) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/

[SECURITY] Fedora 33 Update: python2.7-2.7.18-11.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html

[SECURITY] [DLA 2628-1] python2.7 security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/

[SECURITY] Fedora 33 Update: python3.8-3.8.8-1.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory