http.server: Open Redirection if the URL path starts with //¶
This security flaw causes an open redirection vulnerability in
Lib/http/server.py
due to no protection against multiple (/
) at the
beginning of the URI path.
Dates:
- Disclosure date: 2021-02-14 (Python issue gh-87389 reported)
- Reported at: 2021-02-14
- Reported by: Hamza Avvan (email to PSRT)
Fixed In¶
- Python 3.7.14 (2022-09-06) fixed by commit 8a34afd (branch 3.7) (2022-06-22)
- Python 3.8.14 (2022-09-06) fixed by commit 4dc2cae (branch 3.8) (2022-06-22)
- Python 3.9.14 (2022-09-06) fixed by commit defaa2b (branch 3.9) (2022-06-22)
- Python 3.10.6 (2022-08-01) fixed by commit 5715382 (branch 3.10) (2022-06-21)
- Python 3.11.0 (2022-10-24) fixed by commit e2e8847 (branch 3.11) (2022-06-21)
Python issue¶
[security] CVE-2021-28861: http.server: Open Redirection if the URL path starts with //.
- Python issue: gh-87389
- Creation date: 2021-02-14
- Reporter: Hamza Avvan
CVE-2021-28861¶
** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states “Warning: http.server is not recommended for production. It only implements basic security checks.”
- CVE ID: CVE-2021-28861
- Published: 2022-08-23
Timeline¶
Timeline using the disclosure date 2021-02-14 as reference:
- 2021-02-14: Reported
- 2021-02-14: Python issue gh-87389 reported by Hamza Avvan
- 2022-06-21 (+492 days): commit 4abab6b (branch 3.12)
- 2022-06-21 (+492 days): commit 5715382 (branch 3.10)
- 2022-06-21 (+492 days): commit e2e8847 (branch 3.11)
- 2022-06-22 (+493 days): commit 4dc2cae (branch 3.8)
- 2022-06-22 (+493 days): commit 8a34afd (branch 3.7)
- 2022-06-22 (+493 days): commit defaa2b (branch 3.9)
- 2022-08-01 (+533 days): Python 3.10.6 released
- 2022-08-23 (+555 days): CVE-2021-28861 published
- 2022-09-06 (+569 days): Python 3.7.14 released
- 2022-09-06 (+569 days): Python 3.8.14 released
- 2022-09-06 (+569 days): Python 3.9.14 released
- 2022-10-24: Python 3.11.0 released