.. _urllib-100-continue-loop:

CVE-2021-3737: urllib HTTP client possible infinite loop on a 100 Continue response
===================================================================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2021-3737>`_.

If a client request a HTTP/HTTPS/FTP service which is controlled by
attacker, attacker can make this client hang forever, even if the client
has set a *timeout* argument.

Dates:

* Disclosure date: **2021-05-03** (Python issue bpo-44022 reported)

Fixed In
--------

* Python **3.6.14** (2021-06-28) fixed by `commit f68d2d6 (branch 3.6) <https://github.com/python/cpython/commit/f68d2d69f1da56c2aea1293ecf93ab69a6010ad7>`_ (2021-05-06)
* Python **3.7.11** (2021-06-28) fixed by `commit 078b146 (branch 3.7) <https://github.com/python/cpython/commit/078b146f062d212919d0ba25e34e658a8234aa63>`_ (2021-05-06)
* Python **3.8.11** (2021-06-28) fixed by `commit f396864 (branch 3.8) <https://github.com/python/cpython/commit/f396864ddfe914531b5856d7bf852808ebfc01ae>`_ (2021-05-06)
* Python **3.9.6** (2021-06-28) fixed by `commit ea93270 (branch 3.9) <https://github.com/python/cpython/commit/ea9327036680acc92d9f89eaf6f6a54d2f8d78d9>`_ (2021-05-05)
* Python **3.10.0** (2021-10-04) fixed by `commit 60ba0b6 (branch 3.10) <https://github.com/python/cpython/commit/60ba0b68470a584103e28958d91e93a6db37ec92>`_ (2021-05-05)

Python issue
------------

CVE-2021-3737: urllib http client possible infinite loop on a 100 Continue response.

* Python issue: `bpo-44022 <https://bugs.python.org/issue44022>`_
* Creation date: 2021-05-03
* Reporter: guangli dong

CVE-2021-3737
-------------

A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.

* CVE ID: `CVE-2021-3737 <https://nvd.nist.gov/vuln/detail/CVE-2021-3737/>`_
* Published: 2022-03-04
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 7.1

Timeline
--------

Timeline using the disclosure date **2021-05-03** as reference:

* 2021-05-03: `Python issue bpo-44022 <https://bugs.python.org/issue44022>`_ reported by guangli dong
* 2021-05-05 (**+2 days**): `commit 60ba0b6 (branch 3.10) <https://github.com/python/cpython/commit/60ba0b68470a584103e28958d91e93a6db37ec92>`_
* 2021-05-05 (**+2 days**): `commit ea93270 (branch 3.9) <https://github.com/python/cpython/commit/ea9327036680acc92d9f89eaf6f6a54d2f8d78d9>`_
* 2021-05-06 (**+3 days**): `commit 078b146 (branch 3.7) <https://github.com/python/cpython/commit/078b146f062d212919d0ba25e34e658a8234aa63>`_
* 2021-05-06 (**+3 days**): `commit f396864 (branch 3.8) <https://github.com/python/cpython/commit/f396864ddfe914531b5856d7bf852808ebfc01ae>`_
* 2021-05-06 (**+3 days**): `commit f68d2d6 (branch 3.6) <https://github.com/python/cpython/commit/f68d2d69f1da56c2aea1293ecf93ab69a6010ad7>`_
* 2021-06-28 (**+56 days**): Python 3.6.14 released
* 2021-06-28 (**+56 days**): Python 3.7.11 released
* 2021-06-28 (**+56 days**): Python 3.8.11 released
* 2021-06-28 (**+56 days**): Python 3.9.6 released
* 2021-10-04: Python 3.10.0 released
* 2022-03-04 (**+305 days**): CVE-2021-3737 published

Links
-----

* https://access.redhat.com/security/cve/CVE-2021-3737
* https://bugzilla.redhat.com/show_bug.cgi?id=1995162