CVE-2021-3737
HIGH7.5EPSS 0.12%發布日:2022/3/4修改日:2026/4/28
也稱為:DEBIAN-CVE-2021-3737
描述
A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.
受影響套件(6)
- Bitnami/libpython>= 3.6.0, < 3.6.14, >= 3.7.0, < 3.7.11, >= 3.8.0, < 3.8.11, >= 3.9.0, < 3.9.6
- Bitnami/python>= 3.6.0, < 3.6.14, >= 3.7.0, < 3.7.11, >= 3.8.0, < 3.8.11, >= 3.9.0, < 3.9.6
- Bitnami/python-min>= 3.6.0, < 3.6.14, >= 3.7.0, < 3.7.11, >= 3.8.0, < 3.8.11, >= 3.9.0, < 3.9.6
- Debian/pypy3from 0, < 7.3.5+dfsg-2+deb11u4
- Debian/python2.7from 0
- Debian/python3.9from 0, < 3.9.2-1+deb11u2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
參考連結(14)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-3737
- WEBhttps://bugs.python.org/issue44022
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1995162
- WEBhttps://github.com/python/cpython/pull/25916
- WEBhttps://github.com/python/cpython/pull/26503
- WEBhttps://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
- WEBhttps://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
- WEBhttps://lists.debian.org/debian-lts-announce/2024/11/msg00024.html
- WEBhttps://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2021-3737
- WEBhttps://python-security.readthedocs.io/vuln/urllib-100-continue-loop.html
- WEBhttps://security.netapp.com/advisory/ntap-20220407-0009/
- WEBhttps://ubuntu.com/security/CVE-2021-3737
- WEBhttps://www.oracle.com/security-alerts/cpujul2022.html