.. _urllib-query-string-semicolon-separator: urllib parse_qsl(): Web cache poisoning - semicolon as a query args separator ============================================================================= .. warning:: This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**. The `canonical database for vulnerabilities affecting Python `_ is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the `Open Source Vulnerability Database `_. The urlparse module treats semicolon as a separator, whereas most proxies today only take ampersands as separators. When the attacker can separate query parameters using a semicolon ``;``, they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter - such as `utm_*` parameters, which are usually unkeyed. The fix is to only use ampersands ``&`` as separators, and add a *separator* parameter to chose the separator characters. Dates: * Disclosure date: **2021-01-19** (Python issue bpo-42967 reported) * Reported at: 2020-10-19 (email sent to the PSRT list) * Reported by: Adam Goldschmidt (Snyk) Fixed In -------- * Python **3.6.13** (2021-02-16) fixed by `commit 5c17dfc (branch 3.6) `_ (2021-02-15) * Python **3.7.10** (2021-02-16) fixed by `commit d0d4d30 (branch 3.7) `_ (2021-02-15) * Python **3.8.8** (2021-02-19) fixed by `commit e3110c3 (branch 3.8) `_ (2021-02-15) * Python **3.9.2** (2021-02-19) fixed by `commit c9f0781 (branch 3.9) `_ (2021-02-15) * Python **3.10.0** (2021-10-04) fixed by `commit fcbe0cb (branch 3.10) `_ (2021-02-14) Python issue ------------ [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator. * Python issue: `bpo-42967 `_ * Creation date: 2021-01-19 * Reporter: Adam Goldschmidt CVE-2021-23336 -------------- The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. * CVE ID: `CVE-2021-23336 `_ * Published: 2021-02-15 * `CVSS Score `_: 4.0 Timeline -------- Timeline using the disclosure date **2021-01-19** as reference: * 2020-10-19 (**-92 days**): Reported (email sent to the PSRT list) * 2021-01-19: `Python issue bpo-42967 `_ reported by Adam Goldschmidt * 2021-02-14 (**+26 days**): `commit fcbe0cb (branch 3.10) `_ * 2021-02-15 (**+27 days**): CVE-2021-23336 published * 2021-02-15 (**+27 days**): `commit 5c17dfc (branch 3.6) `_ * 2021-02-15 (**+27 days**): `commit c9f0781 (branch 3.9) `_ * 2021-02-15 (**+27 days**): `commit d0d4d30 (branch 3.7) `_ * 2021-02-15 (**+27 days**): `commit e3110c3 (branch 3.8) `_ * 2021-02-16 (**+28 days**): Python 3.6.13 released * 2021-02-16 (**+28 days**): Python 3.7.10 released * 2021-02-19 (**+31 days**): Python 3.8.8 released * 2021-02-19 (**+31 days**): Python 3.9.2 released * 2021-10-04: Python 3.10.0 released Links ----- * https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/ * https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933