First published: Mon Aug 22 2022(Updated: )
** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/python3 | <0:3.6.8-48.el8_7.1 | 0:3.6.8-48.el8_7.1 |
redhat/python3.9 | <0:3.9.14-1.el9 | 0:3.9.14-1.el9 |
redhat/rh-python38-python | <0:3.8.14-1.el7 | 0:3.8.14-1.el7 |
Python Python | >=3.0.0<3.7.14 | |
Python Python | >=3.8.0<3.8.14 | |
Python Python | >=3.9.0<3.9.14 | |
Python Python | >=3.10.0<3.10.6 | |
Python Python | =3.11.0-alpha1 | |
Python Python | =3.11.0-alpha2 | |
Python Python | =3.11.0-alpha3 | |
Python Python | =3.11.0-alpha4 | |
Python Python | =3.11.0-alpha5 | |
Python Python | =3.11.0-alpha6 | |
Python Python | =3.11.0-alpha7 | |
Python Python | =3.11.0-beta1 | |
Python Python | =3.11.0-beta2 | |
Python Python | =3.11.0-beta3 | |
Fedoraproject Fedora | =35 | |
Fedoraproject Fedora | =36 | |
Fedoraproject Fedora | =37 | |
IBM Security Verify Access Docker | <=10.0.X | |
IBM Security Verify Access | <=10.0.X | |
debian/pypy3 | <=7.3.5+dfsg-2+deb11u2 | 7.3.5+dfsg-2+deb11u4 7.3.11+dfsg-2+deb12u3 7.3.17+dfsg-3 |
debian/python2.7 | <=2.7.18-8+deb11u1 | |
debian/python3.11 | 3.11.2-6+deb12u5 3.11.2-6+deb12u3 | |
debian/python3.9 | <=3.9.2-1 | 3.9.2-1+deb11u2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2021-28861 is a vulnerability in Python 3.x through 3.10 that causes an open redirection vulnerability in lib/http/server.py.
CVE-2021-28861 affects Python 3.x through 3.10.
CVE-2021-28861 has a severity rating of high.
CVE-2021-28861 may lead to information disclosure.
To fix CVE-2021-28861, update to the recommended versions of Python that have the patch applied.