urllib parse_qsl(): Web cache poisoning - semicolon as a query args separator

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

The urlparse module treats semicolon as a separator, whereas most proxies today only take ampersands as separators.

When the attacker can separate query parameters using a semicolon ;, they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter - such as utm_* parameters, which are usually unkeyed.

The fix is to only use ampersands & as separators, and add a separator parameter to chose the separator characters.

Dates:

• Disclosure date: 2021-01-19 (Python issue bpo-42967 reported)
• Reported at: 2020-10-19 (email sent to the PSRT list)
• Reported by: Adam Goldschmidt (Snyk)

Fixed In

• Python 3.6.13 (2021-02-16) fixed by commit 5c17dfc (branch 3.6) (2021-02-15)
• Python 3.7.10 (2021-02-16) fixed by commit d0d4d30 (branch 3.7) (2021-02-15)
• Python 3.8.8 (2021-02-19) fixed by commit e3110c3 (branch 3.8) (2021-02-15)
• Python 3.9.2 (2021-02-19) fixed by commit c9f0781 (branch 3.9) (2021-02-15)
• Python 3.10.0 (2021-10-04) fixed by commit fcbe0cb (branch 3.10) (2021-02-14)

Python issue

[CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator.

• Python issue: bpo-42967
• Creation date: 2021-01-19
• Reporter: Adam Goldschmidt

CVE-2021-23336

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

• CVE ID: CVE-2021-23336
• Published: 2021-02-15
• CVSS Score: 4.0

Timeline

Timeline using the disclosure date 2021-01-19 as reference:

• 2020-10-19 (-92 days): Reported (email sent to the PSRT list)
• 2021-01-19: Python issue bpo-42967 reported by Adam Goldschmidt
• 2021-02-14 (+26 days): commit fcbe0cb (branch 3.10)
• 2021-02-15 (+27 days): CVE-2021-23336 published
• 2021-02-15 (+27 days): commit 5c17dfc (branch 3.6)
• 2021-02-15 (+27 days): commit c9f0781 (branch 3.9)
• 2021-02-15 (+27 days): commit d0d4d30 (branch 3.7)
• 2021-02-15 (+27 days): commit e3110c3 (branch 3.8)
• 2021-02-16 (+28 days): Python 3.6.13 released
• 2021-02-16 (+28 days): Python 3.7.10 released
• 2021-02-19 (+31 days): Python 3.8.8 released
• 2021-02-19 (+31 days): Python 3.9.2 released
• 2021-10-04: Python 3.10.0 released

Links

• https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/
• https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933