CVE-2021-3737: urllib HTTP client possible infinite loop on a 100 Continue response

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

If a client request a HTTP/HTTPS/FTP service which is controlled by attacker, attacker can make this client hang forever, even if the client has set a timeout argument.

Dates:

• Disclosure date: 2021-05-03 (Python issue bpo-44022 reported)

Fixed In

• Python 3.6.14 (2021-06-28) fixed by commit f68d2d6 (branch 3.6) (2021-05-06)
• Python 3.7.11 (2021-06-28) fixed by commit 078b146 (branch 3.7) (2021-05-06)
• Python 3.8.11 (2021-06-28) fixed by commit f396864 (branch 3.8) (2021-05-06)
• Python 3.9.6 (2021-06-28) fixed by commit ea93270 (branch 3.9) (2021-05-05)
• Python 3.10.0 (2021-10-04) fixed by commit 60ba0b6 (branch 3.10) (2021-05-05)

Python issue

CVE-2021-3737: urllib http client possible infinite loop on a 100 Continue response.

• Python issue: bpo-44022
• Creation date: 2021-05-03
• Reporter: guangli dong

CVE-2021-3737

A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.

• CVE ID: CVE-2021-3737
• Published: 2022-03-04
• CVSS Score: 7.1

Timeline

Timeline using the disclosure date 2021-05-03 as reference:

• 2021-05-03: Python issue bpo-44022 reported by guangli dong
• 2021-05-05 (+2 days): commit 60ba0b6 (branch 3.10)
• 2021-05-05 (+2 days): commit ea93270 (branch 3.9)
• 2021-05-06 (+3 days): commit 078b146 (branch 3.7)
• 2021-05-06 (+3 days): commit f396864 (branch 3.8)
• 2021-05-06 (+3 days): commit f68d2d6 (branch 3.6)
• 2021-06-28 (+56 days): Python 3.6.14 released
• 2021-06-28 (+56 days): Python 3.7.11 released
• 2021-06-28 (+56 days): Python 3.8.11 released
• 2021-06-28 (+56 days): Python 3.9.6 released
• 2021-10-04: Python 3.10.0 released
• 2022-03-04 (+305 days): CVE-2021-3737 published

Links

• https://access.redhat.com/security/cve/CVE-2021-3737
• https://bugzilla.redhat.com/show_bug.cgi?id=1995162