CVE-2021-3737: urllib HTTP client possible infinite loop on a 100 Continue response¶
If a client request a HTTP/HTTPS/FTP service which is controlled by attacker, attacker can make this client hang forever, even if the client has set a timeout argument.
Dates:
- Disclosure date: 2021-05-03 (Python issue bpo-44022 reported)
Fixed In¶
- Python 3.6.14 (2021-06-28) fixed by commit f68d2d6 (branch 3.6) (2021-05-06)
- Python 3.7.11 (2021-06-28) fixed by commit 078b146 (branch 3.7) (2021-05-06)
- Python 3.8.11 (2021-06-28) fixed by commit f396864 (branch 3.8) (2021-05-06)
- Python 3.9.6 (2021-06-28) fixed by commit ea93270 (branch 3.9) (2021-05-05)
- Python 3.10.0 (2021-10-04) fixed by commit 60ba0b6 (branch 3.10) (2021-05-05)
Python issue¶
CVE-2021-3737: urllib http client possible infinite loop on a 100 Continue response.
- Python issue: bpo-44022
- Creation date: 2021-05-03
- Reporter: guangli dong
CVE-2021-3737¶
A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.
- CVE ID: CVE-2021-3737
- Published: 2022-03-04
- CVSS Score: 7.1
Timeline¶
Timeline using the disclosure date 2021-05-03 as reference:
- 2021-05-03: Python issue bpo-44022 reported by guangli dong
- 2021-05-05 (+2 days): commit 60ba0b6 (branch 3.10)
- 2021-05-05 (+2 days): commit ea93270 (branch 3.9)
- 2021-05-06 (+3 days): commit 078b146 (branch 3.7)
- 2021-05-06 (+3 days): commit f396864 (branch 3.8)
- 2021-05-06 (+3 days): commit f68d2d6 (branch 3.6)
- 2021-06-28 (+56 days): Python 3.6.14 released
- 2021-06-28 (+56 days): Python 3.7.11 released
- 2021-06-28 (+56 days): Python 3.8.11 released
- 2021-06-28 (+56 days): Python 3.9.6 released
- 2021-10-04: Python 3.10.0 released
- 2022-03-04 (+305 days): CVE-2021-3737 published