CVE-2021-3737: urllib HTTP client possible infinite loop on a 100 Continue response

If a client request a HTTP/HTTPS/FTP service which is controlled by attacker, attacker can make this client hang forever, even if the client has set a timeout argument.

  • Disclosure date: 2021-05-03 (Python issue bpo-44022 reported)

Fixed In

Python issue

CVE-2021-3737: urllib http client possible infinite loop on a 100 Continue response.

  • Python issue: bpo-44022
  • Creation date: 2021-05-03
  • Reporter: guangli dong

Timeline

Timeline using the disclosure date 2021-05-03 as reference: