CVE-2021-3737
First published: Mon Aug 09 2021(Updated: )
A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/python3 | <0:3.6.8-45.el8 | 0:3.6.8-45.el8 |
| redhat/python27-python | <0:2.7.18-4.el7 | 0:2.7.18-4.el7 |
| redhat/python | <3.6.14 | 3.6.14 |
| redhat/python | <3.7.11 | 3.7.11 |
| redhat/python | <3.8.11 | 3.8.11 |
| redhat/python | <3.9.6 | 3.9.6 |
| Python Python | >=3.6.0<3.6.14 | |
| Python Python | >=3.7.0<3.7.11 | |
| Python Python | >=3.8.0<3.8.11 | |
| Python Python | >=3.9.0<3.9.6 | |
| Redhat Codeready Linux Builder | =8.0 | |
| Redhat Codeready Linux Builder For Ibm Z Systems | =8.0 | |
| Redhat Codeready Linux Builder For Power Little Endian | =8.0 | |
| Redhat Enterprise Linux | =6.0 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux For Ibm Z Systems | =8.0 | |
| Redhat Enterprise Linux For Power Little Endian | =8.0 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =20.04 | |
| Canonical Ubuntu Linux | =21.04 | |
| Netapp Hci | ||
| Netapp Management Services For Element Software | ||
| Netapp Netapp Xcp Smb | ||
| NetApp ONTAP Select Deploy administration utility | ||
| Netapp Xcp Nfs | ||
| Oracle Communications Cloud Native Core Binding Support Function | =22.1.3 | |
| Oracle Communications Cloud Native Core Network Exposure Function | =22.1.1 | |
| Oracle Communications Cloud Native Core Policy | =22.2.0 | |
| IBM Cognos Analytics 11.2.x | <=IBM Cognos Analytics 11.2.x | |
| IBM Cognos Analytics 11.1.x | <=IBM Cognos Analytics 11.1.x | |
| debian/pypy3 | <=7.3.5+dfsg-2+deb11u2<=7.3.5+dfsg-2+deb11u3 | 7.3.11+dfsg-2+deb12u2 7.3.17+dfsg-2 |
| debian/python2.7 | <=2.7.18-8+deb11u1 | |
| debian/python3.9 | <=3.9.2-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-3737 https://nvd.nist.gov/vuln/detail/CVE-2021-3737
- https://bugzilla.redhat.com/show_bug.cgi?id=1995162
- https://access.redhat.com/errata/RHSA-2021:4160
- https://access.redhat.com/errata/RHSA-2022:1764
- https://access.redhat.com/errata/RHSA-2022:1821
- https://access.redhat.com/errata/RHSA-2022:1986
- https://access.redhat.com/errata/RHSA-2022:1663
- https://access.redhat.com/security/cve/cve-2021-3737
- https://bugs.python.org/issue44022
- https://github.com/python/cpython/pull/25916
- https://github.com/python/cpython/pull/26503
- https://ubuntu.com/security/CVE-2021-3737
- https://python-security.readthedocs.io/vuln/urllib-100-continue-loop.html
- https://security.netapp.com/advisory/ntap-20220407-0009/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
- https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
- https://launchpad.net/bugs/cve/CVE-2021-3737
- https://build.opensuse.org/package/view_file/devel:languages:python:Factory/python/bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch?expand=1
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1991918
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1997670
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1997671
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1997672
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1997673
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1997674
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1997675
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1997676
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1997677
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1997669
- https://exchange.xforce.ibmcloud.com/vulnerabilities/213407
- https://www.ibm.com/support/pages/node/6828527 (Advisory)
- https://github.com/python/cpython/commit/60ba0b68470a584103e28958d91e93a6db37ec92
- https://github.com/python/cpython/commit/ea9327036680acc92d9f89eaf6f6a54d2f8d78d9
- https://github.com/python/cpython/commit/f396864ddfe914531b5856d7bf852808ebfc01ae
- https://github.com/python/cpython/commit/078b146f062d212919d0ba25e34e658a8234aa63
- https://github.com/python/cpython/commit/f68d2d69f1da56c2aea1293ecf93ab69a6010ad7
- https://github.com/python/cpython/commit/98e5a7975d99b58d511f171816ecdfb13d5cca18
- https://github.com/python/cpython/commit/5df4abd6b033a5f1e48945c6988b45e35e76f647
- https://github.com/python/cpython/commit/0389426fa4af4dfc8b1d7f3f291932d928392d8b
- https://github.com/python/cpython/commit/fee96422e6f0056561cf74fef2012cc066c9db86
- https://github.com/python/cpython/commit/1b6f4e5e13ebd1f957b47f7415b53d0869bdbac6
- https://security-tracker.debian.org/tracker/CVE-2021-3737
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3737
- https://nvd.nist.gov/vuln/detail/CVE-2021-3737
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-3737?
CVE-2021-3737 is a vulnerability in Python that allows a remote attacker to cause a denial of service by making the client script enter an infinite loop.
What is the severity of CVE-2021-3737?
The severity of CVE-2021-3737 is high with a CVSS score of 7.5.
How does CVE-2021-3737 affect Python?
CVE-2021-3737 affects Python versions 3.6.0 to 3.6.14, 3.7.0 to 3.7.11, 3.8.0 to 3.8.11, and 3.9.0 to 3.9.6.
How can I fix CVE-2021-3737?
To fix CVE-2021-3737, update Python to version 3.6.15, 3.7.12, 3.8.12, or 3.9.7, depending on your installed version.
Where can I find more information about CVE-2021-3737?
You can find more information about CVE-2021-3737 on the official Python bug tracker and GitHub repository.
- collector/redhat-cve
- agent/weakness
- agent/type
- agent/remedy
- collector/launchpad-cve
- source/Launchpad
- agent/first-publish-date
- agent/author
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-3737
- agent/software-canonical-lookup
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/ibm-support
- source/IBM
- agent/references
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/python
- canonical/python python
- version/python python/3.6.0
- version/python python/3.7.0
- version/python python/3.8.0
- version/python python/3.9.0
- vendor/redhat
- canonical/redhat codeready linux builder
- version/redhat codeready linux builder/8.0
- canonical/redhat codeready linux builder for ibm z systems
- version/redhat codeready linux builder for ibm z systems/8.0
- canonical/redhat codeready linux builder for power little endian
- version/redhat codeready linux builder for power little endian/8.0
- canonical/redhat enterprise linux
- version/redhat enterprise linux/6.0
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- canonical/redhat enterprise linux for ibm z systems
- version/redhat enterprise linux for ibm z systems/8.0
- canonical/redhat enterprise linux for power little endian
- version/redhat enterprise linux for power little endian/8.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/20.04
- version/canonical ubuntu linux/21.04
- vendor/netapp
- canonical/netapp hci
- canonical/netapp management services for element software
- canonical/netapp netapp xcp smb
- canonical/netapp ontap select deploy administration utility
- canonical/netapp xcp nfs
- vendor/oracle
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/22.1.3
- canonical/oracle communications cloud native core network exposure function
- version/oracle communications cloud native core network exposure function/22.1.1
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/22.2.0
- vendor/ibm
- canonical/ibm cognos analytics 11.2.x
- version/ibm cognos analytics 11.2.x/ibm cognos analytics 11.2.x
- canonical/ibm cognos analytics 11.1.x
- version/ibm cognos analytics 11.1.x/ibm cognos analytics 11.1.x
- package-manager/debian