http.server: Open Redirection if the URL path starts with //

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

This security flaw causes an open redirection vulnerability in Lib/http/server.py due to no protection against multiple (/) at the beginning of the URI path.

Dates:

• Disclosure date: 2021-02-14 (Python issue gh-87389 reported)
• Reported at: 2021-02-14
• Reported by: Hamza Avvan (email to PSRT)

Fixed In

• Python 3.7.14 (2022-09-06) fixed by commit 8a34afd (branch 3.7) (2022-06-22)
• Python 3.8.14 (2022-09-06) fixed by commit 4dc2cae (branch 3.8) (2022-06-22)
• Python 3.9.14 (2022-09-06) fixed by commit defaa2b (branch 3.9) (2022-06-22)
• Python 3.10.6 (2022-08-01) fixed by commit 5715382 (branch 3.10) (2022-06-21)
• Python 3.11.0 (2022-10-24) fixed by commit e2e8847 (branch 3.11) (2022-06-21)

Python issue

[security] CVE-2021-28861: http.server: Open Redirection if the URL path starts with //.

• Python issue: gh-87389
• Creation date: 2021-02-14
• Reporter: Hamza Avvan

CVE-2021-28861

** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states “Warning: http.server is not recommended for production. It only implements basic security checks.”

• CVE ID: CVE-2021-28861
• Published: 2022-08-23

Timeline

Timeline using the disclosure date 2021-02-14 as reference:

• 2021-02-14: Reported
• 2021-02-14: Python issue gh-87389 reported by Hamza Avvan
• 2022-06-21 (+492 days): commit 4abab6b (branch 3.12)
• 2022-06-21 (+492 days): commit 5715382 (branch 3.10)
• 2022-06-21 (+492 days): commit e2e8847 (branch 3.11)
• 2022-06-22 (+493 days): commit 4dc2cae (branch 3.8)
• 2022-06-22 (+493 days): commit 8a34afd (branch 3.7)
• 2022-06-22 (+493 days): commit defaa2b (branch 3.9)
• 2022-08-01 (+533 days): Python 3.10.6 released
• 2022-08-23 (+555 days): CVE-2021-28861 published
• 2022-09-06 (+569 days): Python 3.7.14 released
• 2022-09-06 (+569 days): Python 3.8.14 released
• 2022-09-06 (+569 days): Python 3.9.14 released
• 2022-10-24: Python 3.11.0 released

Links

• https://access.redhat.com/security/cve/CVE-2021-28861