CVE-2021-3737: urllib HTTP client possible infinite loop on a 100 Continue response

If a client request a HTTP/HTTPS/FTP service which is controlled by attacker, attacker can make this client hang forever, even if the client has set a timeout argument.

Dates:

  • Disclosure date: 2021-05-03 (Python issue bpo-44022 reported)

Fixed In

Python issue

CVE-2021-3737: urllib http client possible infinite loop on a 100 Continue response.

  • Python issue: bpo-44022
  • Creation date: 2021-05-03
  • Reporter: guangli dong

CVE-2021-3737

A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.

Timeline

Timeline using the disclosure date 2021-05-03 as reference: