{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-23336", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "dateUpdated": "2024-09-16T18:55:19.315Z", "dateReserved": "2021-01-08T00:00:00", "datePublished": "2021-02-15T12:15:20.788790Z"}, "containers": {"cna": {"title": "Web Cache Poisoning", "datePublic": "2021-02-15T00:00:00", "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2023-09-20T21:06:13.958312"}, "descriptions": [{"lang": "en", "value": "The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter."}], "affected": [{"vendor": "n/a", "product": "python/cpython", "versions": [{"version": "0", "status": "affected", "lessThan": "unspecified", "versionType": "custom"}, {"version": "unspecified", "lessThan": "3.6.13", "status": "affected", "versionType": "custom"}, {"version": "3.7.0", "status": "affected", "lessThan": "unspecified", "versionType": "custom"}, {"version": "unspecified", "lessThan": "3.7.10", "status": "affected", "versionType": "custom"}, {"version": "3.8.0", "status": "affected", "lessThan": "unspecified", "versionType": "custom"}, {"version": "unspecified", "lessThan": "3.8.8", "status": "affected", "versionType": "custom"}, {"version": "3.9.0", "status": "affected", "lessThan": "unspecified", "versionType": "custom"}, {"version": "unspecified", "lessThan": "3.9.2", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933"}, {"url": "https://github.com/python/cpython/pull/24297"}, {"url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/"}, {"name": "[oss-security] 20210219 Django security releases: CVE-2021-23336: Web cache poisoning via ``django.utils.http.limited_parse_qsl()``", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2021/02/19/4"}, {"name": "[debian-lts-announce] 20210219 [SECURITY] [DLA 2569-1] python-django security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html"}, {"name": "FEDORA-2021-7547ad987f", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/"}, {"name": "FEDORA-2021-f4fd9372c7", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/"}, {"name": "FEDORA-2021-3352c1c802", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/"}, {"name": "FEDORA-2021-7d3a9004e2", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/"}, {"name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar", "tags": ["mailing-list"], "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"}, {"name": "FEDORA-2021-907f3bacae", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/"}, {"name": "FEDORA-2021-7c1bb32d13", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/"}, {"name": "FEDORA-2021-b1843407ca", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/"}, {"name": "FEDORA-2021-2897f5366c", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/"}, {"name": "FEDORA-2021-b326fcb83f", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/"}, {"name": "FEDORA-2021-1bb399a5af", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/"}, {"name": "FEDORA-2021-ef83e8525a", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/"}, {"name": "FEDORA-2021-b76ede8f4d", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/"}, {"name": "FEDORA-2021-309bc2e727", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/"}, {"name": "FEDORA-2021-5a09621ebb", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/"}, {"name": "FEDORA-2021-e22bb0e548", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/"}, {"name": "FEDORA-2021-e525e48886", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/"}, {"name": "[debian-lts-announce] 20210405 [SECURITY] [DLA 2619-1] python3.5 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html"}, {"name": "[debian-lts-announce] 20210417 [SECURITY] [DLA 2628-1] python2.7 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html"}, {"name": "FEDORA-2021-b6b6093b3a", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/"}, {"name": "GLSA-202104-04", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202104-04"}, {"name": "[airflow-users] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL", "tags": ["mailing-list"], "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E"}, {"name": "[oss-security] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"}, {"name": "[announce] 20210501 Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL", "tags": ["mailing-list"], "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E"}, {"name": "FEDORA-2021-98720f3785", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/"}, {"name": "FEDORA-2021-12df7f7382", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/"}, {"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"url": "https://security.netapp.com/advisory/ntap-20210326-0004/"}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"}], "credits": [{"lang": "en", "value": "Snyk Security Team"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H/E:P/RL:U/RC:C", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "remediationLevel": "UNAVAILABLE", "reportConfidence": "CONFIRMED", "baseScore": 5.9, "temporalScore": 5.6, "baseSeverity": "MEDIUM", "temporalSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Web Cache Poisoning"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:05:55.612Z"}, "title": "CVE Program Container", "references": [{"url": "https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933", "tags": ["x_transferred"]}, {"url": "https://github.com/python/cpython/pull/24297", "tags": ["x_transferred"]}, {"url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/", "tags": ["x_transferred"]}, {"name": "[oss-security] 20210219 Django security releases: CVE-2021-23336: Web cache poisoning via ``django.utils.http.limited_parse_qsl()``", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/02/19/4"}, {"name": "[debian-lts-announce] 20210219 [SECURITY] [DLA 2569-1] python-django security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html"}, {"name": "FEDORA-2021-7547ad987f", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/"}, {"name": "FEDORA-2021-f4fd9372c7", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/"}, {"name": "FEDORA-2021-3352c1c802", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/"}, {"name": "FEDORA-2021-7d3a9004e2", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/"}, {"name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"}, {"name": "FEDORA-2021-907f3bacae", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/"}, {"name": "FEDORA-2021-7c1bb32d13", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/"}, {"name": "FEDORA-2021-b1843407ca", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/"}, {"name": "FEDORA-2021-2897f5366c", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/"}, {"name": "FEDORA-2021-b326fcb83f", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/"}, {"name": "FEDORA-2021-1bb399a5af", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/"}, {"name": "FEDORA-2021-ef83e8525a", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/"}, {"name": "FEDORA-2021-b76ede8f4d", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/"}, {"name": "FEDORA-2021-309bc2e727", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/"}, {"name": "FEDORA-2021-5a09621ebb", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/"}, {"name": "FEDORA-2021-e22bb0e548", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/"}, {"name": "FEDORA-2021-e525e48886", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/"}, {"name": "[debian-lts-announce] 20210405 [SECURITY] [DLA 2619-1] python3.5 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html"}, {"name": "[debian-lts-announce] 20210417 [SECURITY] [DLA 2628-1] python2.7 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html"}, {"name": "FEDORA-2021-b6b6093b3a", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/"}, {"name": "GLSA-202104-04", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202104-04"}, {"name": "[airflow-users] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E"}, {"name": "[oss-security] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"}, {"name": "[announce] 20210501 Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E"}, {"name": "FEDORA-2021-98720f3785", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/"}, {"name": "FEDORA-2021-12df7f7382", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/"}, {"url": "https://www.oracle.com/security-alerts/cpuApr2021.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20210326-0004/", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "BB8842D9-B554-4B83-9E2E-0FAF292E448A", "versionEndExcluding": "3.6.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "EEB52F35-D464-4C26-A253-1B96B2A4921A", "versionEndExcluding": "3.7.10", "versionStartIncluding": "3.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F40C09A-B9FD-40D7-B0A3-89C13DAD040B", "versionEndExcluding": "3.8.8", "versionStartIncluding": "3.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "7ECC4038-73C0-4AEA-99C2-3CFD7C283ABD", "versionEndExcluding": "3.9.2", "versionStartIncluding": "3.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", "matchCriteriaId": "5C2089EE-5D7F-47EC-8EA5-0F69790564C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:inventory_collect_tool:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2C13438-3C64-40A6-AA0D-327CB722888D", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", "matchCriteriaId": "E7CF3019-975D-40BB-A8A4-894E62BD3797", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", "matchCriteriaId": "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "D7BD0710-9119-4813-B605-AD61E46EC450", "versionEndExcluding": "2.2.19", "versionStartIncluding": "2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "83059A91-A193-402A-966C-852841B3B84A", "versionEndExcluding": "3.0.13", "versionStartIncluding": "3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9318762-F84D-4012-A969-BAD7E7D7BC66", "versionEndExcluding": "3.1.7", "versionStartIncluding": "3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "49ACFC73-A509-4D1C-8FC3-F68F495AB055", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D7B49D71-6A31-497A-B6A9-06E84F086E7A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B095CC03-7077-4A58-AB25-CC5380CDCE5A", "vulnerable": true}, {"criteria": "cpe:2.3:o:oracle:zfs_storage_appliance:8.8:*:*:*:*:*:*:*", "matchCriteriaId": "18096778-19E1-434F-BD96-A9FBF11A8C81", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter."}, {"lang": "es", "value": "El paquete python/cpython desde versiones 0 y anteriores a 3.6.13, desde versiones 3.7.0 y anteriores a 3.7.10, desde versiones 3.8.0 y anteriores a 3.8.8, desde versiones 3.9.0 y anteriores a 3.9.2, son vulnerables al envenenamiento de cach\u00e9 web por medio de urllib.parse.parse_qsl y urllib.parse.parse_qs usando un vector llamado encubrimiento de par\u00e1metros. Cuando el atacante puede separar los par\u00e1metros de la consulta usando un punto y coma (;), pueden causar una diferencia en la interpretaci\u00f3n de la petici\u00f3n entre el proxy (que se ejecuta con la configuraci\u00f3n predeterminada) y el servidor. Esto puede resultar en que las peticiones maliciosas se almacenen en cach\u00e9 como completamente seguras, ya que el proxy normalmente no ver\u00eda el punto y coma como un separador y, por lo tanto, no lo incluir\u00eda en una clave de cach\u00e9 de un par\u00e1metro sin clave"}], "id": "CVE-2021-23336", "lastModified": "2024-11-21T05:51:31.403", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-15T13:15:12.433", "references": [{"source": "report@snyk.io", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/02/19/4"}, {"source": "report@snyk.io", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python/cpython/pull/24297"}, {"source": "report@snyk.io", "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E"}, {"source": "report@snyk.io", "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E"}, {"source": "report@snyk.io", "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"}, {"source": "report@snyk.io", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html"}, {"source": "report@snyk.io", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html"}, {"source": "report@snyk.io", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html"}, {"source": "report@snyk.io", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202104-04"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210326-0004/"}, {"source": "report@snyk.io", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/02/19/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python/cpython/pull/24297"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202104-04"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210326-0004/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:1633", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python3-0:3.6.8-37.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-05-18T00:00:00Z"}, {"advisory": "RHSA-2021:4151", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python27:2.7-8050020210811095446.3e7ace8b", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4162", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python38:3.8-8050020210811101222.e3d35cca", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4162", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python38-devel:3.8-8050020210811101222.e3d35cca", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:1633", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "python3-0:3.6.8-37.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-05-18T00:00:00Z"}, {"advisory": "RHSA-2021:3252", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-babel-0:0.9.6-10.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3252", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-0:2.7.18-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3252", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-jinja2-0:2.6-16.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3252", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-pygments-0:1.5-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-babel-0:2.7.0-12.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-0:3.8.11-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-cryptography-0:2.8-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-jinja2-0:2.10.3-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-lxml-0:4.4.1-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-pip-0:19.3.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-urllib3-0:1.25.7-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3252", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-babel-0:0.9.6-10.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3252", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-0:2.7.18-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3252", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-jinja2-0:2.6-16.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3252", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-pygments-0:1.5-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-babel-0:2.7.0-12.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-0:3.8.11-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-cryptography-0:2.8-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-jinja2-0:2.10.3-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-lxml-0:4.4.1-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-pip-0:19.3.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-urllib3-0:1.25.7-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}], "bugzilla": {"description": "python: Web cache poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a semicolon in query parameters", "id": "1928904", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1928904"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H", "status": "verified"}, "cwe": "CWE-444", "details": ["The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.", "The package python/cpython is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter."], "name": "CVE-2021-23336", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "impact": "low", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "python", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python39:3.9/python39", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "python2.7", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "python3.9", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "impact": "low", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Will not fix", "impact": "low", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Will not fix", "impact": "low", "package_name": "python-django20", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "python-django", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:rhui:3", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat Update Infrastructure 3 for Cloud Providers"}], "public_date": "2021-02-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-23336\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-23336\nhttps://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933"], "statement": "The python36 component in the python36:3.6 module in Red Hat Enterprise Linux 8 is listed as not affected, as it does not contain Python interpreter or libraries. Packages of the python36 component only provide convenient links to the Python interpreter included in the non-modular python3 component's platform-python packages. Users of python36:3.6 module also need to check the entry for the python3 component to determine if their systems are affected.\nRed Hat Ceph Storage (RHCS) 3 ships an older version of python-django without the directly affected function, but which is still vulnerable to a similar attack involving the semi colon separator. Hence, impact has been rated as Low.\nAlthough Red Hat OpenStack Platform 13 & 16.1 both ship the affected code, since the proxy is controlled and configured by OpenStack, the impact has been lowered to Low. As a fix would require a substantial effort or commitment of time, no fix will be provided at this time.", "threat_severity": "Moderate", "upstream_fix": "python 3.6.13, python 3.7.10, python 3.8.8, python 3.9.2"}