Vulnerability Details : CVE-2021-3737
A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.
Products affected by CVE-2021-3737
- cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:codeready_linux_builder:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.1:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:21.04:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:hci:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:netapp_xcp_smb:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:xcp_nfs:-:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Threat overview for CVE-2021-3737
Top countries where our scanners detected CVE-2021-3737
Top open port discovered on systems with this issue
80
IPs affected by CVE-2021-3737 1,174,235
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2021-3737!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2021-3737
1.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-3737
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.1
|
HIGH | AV:N/AC:M/Au:N/C:N/I:N/A:C |
8.6
|
6.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-3737
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
-
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2021-3737
-
https://ubuntu.com/security/CVE-2021-3737
CVE-2021-3737 | UbuntuPatch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
[SECURITY] [DLA 3477-1] python3.7 security update
-
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
[SECURITY] [DLA 3432-1] python2.7 security update
-
https://security.netapp.com/advisory/ntap-20220407-0009/
CVE-2021-3737 Python Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://github.com/python/cpython/pull/25916
bpo-44022: Fix http client infinite line reading (DoS) after a http 100 by gen-xu · Pull Request #25916 · python/cpython · GitHubPatch;Third Party Advisory
-
https://github.com/python/cpython/pull/26503
bpo-44022: Improve the security fix regression test. by gpshead · Pull Request #26503 · python/cpython · GitHubPatch;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1995162
1995162 – (CVE-2021-3737) CVE-2021-3737 python: urllib: HTTP client possible infinite loop on a 100 Continue responseIssue Tracking;Patch;Third Party Advisory
-
https://bugs.python.org/issue44022
Issue 44022: CVE-2021-3737: urllib http client possible infinite loop on a 100 Continue response - Python trackerExploit;Issue Tracking;Vendor Advisory
-
https://python-security.readthedocs.io/vuln/urllib-100-continue-loop.html
CVE-2021-3737: urllib HTTP client possible infinite loop on a 100 Continue response — Python Security 0.0 documentationPatch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2022.html
Oracle Critical Patch Update Advisory - July 2022Patch;Third Party Advisory
Jump to