CVE-2021-21240 - OpenCVE

httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Httplib2 Project	Httplib2
Redhat	Openstack

Configuration 1 [-]

cpe:2.3:a:httplib2_project:httplib2:*:*:*:*:*:python:*:*

Package	CPE	Advisory	Released Date
Red Hat OpenStack Platform 16.1
python-httplib2-0:0.13.1-2.el8ost	cpe:/a:redhat:openstack:16.1::el8	RHSA-2021:2116	2021-05-26T00:00:00Z

References

Link	Providers
https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc
https://github.com/httplib2/httplib2/pull/182
https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m
https://nvd.nist.gov/vuln/detail/CVE-2021-21240
https://pypi.org/project/httplib2
https://www.cve.org/CVERecord?id=CVE-2021-21240

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-02-08T19:45:19

Updated: 2024-08-03T18:09:14.827Z

Reserved: 2020-12-22T00:00:00

Link: CVE-2021-21240

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-02-08T20:15:12.197

Modified: 2021-02-12T14:56:39.647

Link: CVE-2021-21240

Redhat

Severity : Low

Publid Date: 2021-01-09T00:00:00Z

Links: CVE-2021-21240 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "httplib2", "vendor": "httplib2", "versions": [{"status": "affected", "version": "< 0.19.0"}]}], "descriptions": [{"lang": "en", "value": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-08T19:45:19", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/httplib2/httplib2/pull/182"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"}, {"tags": ["x_refsource_MISC"], "url": "https://pypi.org/project/httplib2"}], "source": {"advisory": "GHSA-93xj-8mrv-444m", "discovery": "UNKNOWN"}, "title": "Regular Expression Denial of Service in httplib2", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21240", "STATE": "PUBLIC", "TITLE": "Regular Expression Denial of Service in httplib2"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "httplib2", "version": {"version_data": [{"version_value": "< 0.19.0"}]}}]}, "vendor_name": "httplib2"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", "refsource": "CONFIRM", "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"}, {"name": "https://github.com/httplib2/httplib2/pull/182", "refsource": "MISC", "url": "https://github.com/httplib2/httplib2/pull/182"}, {"name": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc", "refsource": "MISC", "url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"}, {"name": "https://pypi.org/project/httplib2", "refsource": "MISC", "url": "https://pypi.org/project/httplib2"}]}, "source": {"advisory": "GHSA-93xj-8mrv-444m", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:14.827Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/httplib2/httplib2/pull/182"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pypi.org/project/httplib2"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21240", "datePublished": "2021-02-08T19:45:19", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:14.827Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:httplib2_project:httplib2:*:*:*:*:*:python:*:*", "matchCriteriaId": "D5BA135E-6889-4A5D-88F6-1AD4DBC498BE", "versionEndExcluding": "0.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library."}, {"lang": "es", "value": "httplib2 es una biblioteca cliente HTTP completa para Python. En httplib2 anterior a la versi\u00f3n 0.19.0, un servidor malicioso que responde con una larga serie de caracteres \"\\xa0\" en el encabezado \"www-authenticate\" puede causar una Denegaci\u00f3n de Servicio (CPU quemada mientras analiza el encabezado) del cliente httplib2 que accede a dicho servidor. Esto se corrigi\u00f3 en la versi\u00f3n 0.19.0, que contiene una nueva implementaci\u00f3n de an\u00e1lisis de encabezados de autenticaci\u00f3n usando la biblioteca pyparsing"}], "id": "CVE-2021-21240", "lastModified": "2021-02-12T14:56:39.647", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-02-08T20:15:12.197", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/httplib2/httplib2/pull/182"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://pypi.org/project/httplib2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:2116", "cpe": "cpe:/a:redhat:openstack:16.1::el8", "package": "python-httplib2-0:0.13.1-2.el8ost", "product_name": "Red Hat OpenStack Platform 16.1", "release_date": "2021-05-26T00:00:00Z"}], "bugzilla": {"description": "python-httplib2: Regular expression denial of service via malicious header", "id": "1926885", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1926885"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", "An uncontrolled resource consumption flaw as found in python-httplib2, due to a flawed regular expression used while parsing the WWW-Authenticate header in an HTTP response. This flaw allows a malicious or compromised server to reply with a crafted sequence of characters in the WWW-Authenticate header, leading to a denial of service of the httplib2 client accessing the server. The highest threat from this vulnerability is to system availability."], "mitigation": {"lang": "en:us", "value": "Use strict mode to parse WWW-Authenticate headers. This can be done by setting `httplib2.USE_WWW_AUTH_STRICT_PARSING = True`. Please note, however, that strict mode might lead to bad results in case of ill-formed header values."}, "name": "CVE-2021-21240", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "python-httplib2", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "fence-agents", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "python-httplib2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python-httplib2", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "python-httplib2", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "package_name": "python-httplib2", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "python-httplib2", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:rhui:3", "fix_state": "Will not fix", "impact": "low", "package_name": "python-httplib2", "product_name": "Red Hat Update Infrastructure 3 for Cloud Providers"}], "public_date": "2021-01-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-21240\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21240\nhttps://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"], "statement": "This flaw has been rated as having a security impact of Low, because it requires a malicious or compromised server in order to be exploited, and it only affects the HTTP client. In Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP 13 python-httplib2 package.", "threat_severity": "Low", "upstream_fix": "httplib2 0.19.0"}