ALT-PU-2021-1784-1
Closed vulnerabilities
BDU:2021-04696
Уязвимость библиотеки ipaddress интерпретатора языка программирования Python, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
BDU:2022-02302
Уязвимость модуля urllib.parse интерпретатора языка программирования Python, позволяющая нарушителю внедрить произвольные данные в ответ сервера
BDU:2022-05838
Уязвимость класса AbstractBasicAuthHandler компонента urllib.request интерпретатора языка программирования Python, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2021-29921
In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
- https://bugs.python.org/issue36384
- https://bugs.python.org/issue36384
- https://docs.python.org/3/library/ipaddress.html
- https://docs.python.org/3/library/ipaddress.html
- https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst
- https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst
- https://github.com/python/cpython/pull/12577
- https://github.com/python/cpython/pull/12577
- https://github.com/python/cpython/pull/25099
- https://github.com/python/cpython/pull/25099
- https://github.com/sickcodes
- https://github.com/sickcodes
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md
- https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html
- https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html
- GLSA-202305-02
- GLSA-202305-02
- https://security.netapp.com/advisory/ntap-20210622-0003/
- https://security.netapp.com/advisory/ntap-20210622-0003/
- https://sick.codes/sick-2021-014
- https://sick.codes/sick-2021-014
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
Modified: 2024-11-21
CVE-2021-3733
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
- https://bugs.python.org/issue43075
- https://bugs.python.org/issue43075
- https://bugzilla.redhat.com/show_bug.cgi?id=1995234
- https://bugzilla.redhat.com/show_bug.cgi?id=1995234
- https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb
- https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb
- https://github.com/python/cpython/pull/24391
- https://github.com/python/cpython/pull/24391
- [debian-lts-announce] 20230524 [SECURITY] [DLA 3432-1] python2.7 security update
- [debian-lts-announce] 20230524 [SECURITY] [DLA 3432-1] python2.7 security update
- [debian-lts-announce] 20230630 [SECURITY] [DLA 3477-1] python3.7 security update
- [debian-lts-announce] 20230630 [SECURITY] [DLA 3477-1] python3.7 security update
- https://security.netapp.com/advisory/ntap-20220407-0001/
- https://security.netapp.com/advisory/ntap-20220407-0001/
- https://ubuntu.com/security/CVE-2021-3733
- https://ubuntu.com/security/CVE-2021-3733
Modified: 2024-11-21
CVE-2022-0391
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.
- https://bugs.python.org/issue43882
- https://bugs.python.org/issue43882
- [debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update
- [debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update
- FEDORA-2022-18ad73aba6
- FEDORA-2022-18ad73aba6
- FEDORA-2022-ef99a016f6
- FEDORA-2022-ef99a016f6
- GLSA-202305-02
- GLSA-202305-02
- https://security.netapp.com/advisory/ntap-20220225-0009/
- https://security.netapp.com/advisory/ntap-20220225-0009/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html