CVE-2021-28861
Public on 2022-08-23
Modified on 2025-03-07
Description
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | python3 | 2022-12-01 | ALAS2-2022-1896 | Fixed |
| Amazon Linux 2023 | python3.9 | Not Affected | ||
| Amazon Linux 1 | python38 | No Fix Planned | ||
| Amazon Linux 2 - Python3.8 Extra | python38 | 2024-11-08 | ALAS2PYTHON3.8-2024-016 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
| NVD | CVSSv3 | 7.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N |