Fluid Attacks Database

Description

Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	pypy3	>=0 <7.3.10+dfsg-1	7.3.10+dfsg-1
debian 13	pypy3	>=0 <7.3.10+dfsg-1	7.3.10+dfsg-1
debian 14	pypy3	>=0 <7.3.10+dfsg-1	7.3.10+dfsg-1
debian 11	python2.7	=2.7.18-10 \|\| =2.7.18-11 \|\| =2.7.18-12 \|\| =2.7.18-13 \|\| =2.7.18-13.1 \|\| =2.7.18-13.1~exp1 \|\| =2.7.18-13.2 \|\| =2.7.18-8 \|\| =2.7.18-8+deb11u1 \|\| =2.7.18-9	-
debian 12	python3.11	>=0 <3.11.0~b4-1	3.11.0~b4-1
debian 11	python3.9	=3.9.2-1 \|\| =3.9.2-1+deb11u1 \|\| >=0 <3.9.2-1+deb11u2	3.9.2-1+deb11u2
debian 11	pypy3	=7.3.5+dfsg-2 \|\| =7.3.5+dfsg-2+deb11u1 \|\| =7.3.5+dfsg-2+deb11u2 \|\| =7.3.5+dfsg-2+deb11u3 \|\| >=0 <7.3.5+dfsg-2+deb11u4	7.3.5+dfsg-2+deb11u4
rpm rhel8	python39	<0:3.9.16-1.module+el8.8.0+17625+b531f198	0:3.9.16-1.module+el8.8.0+17625+b531f198
rpm rhel9	python3.9	<0:3.9.14-1.el9	0:3.9.14-1.el9
rpm rhel8	python39-devel	<0:3.9.16-1.module+el8.8.0+17625+b531f198	0:3.9.16-1.module+el8.8.0+17625+b531f198

1-10 of 14

Aliases

1. CVE-2021-288612. NVD-2021-288613. OSV-DEBIAN-2021-288614. OSV-2021-288615. SECURITY-TRACKER-CVE-2021-28861