SB2021102021 - SUSE update for python36
Published: October 20, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2021-3426)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote authenticated user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Binding Support Function (Python) component in Oracle Communications Cloud Native Core Binding Support Function. A remote authenticated user can exploit this vulnerability to gain access to sensitive information.
2) Resource management error (CVE-ID: CVE-2021-3733)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application within the AbstractBasicAuthHandler class in urllib. A remote attacker with control over the server can perform regular expression denial of service attack during authentication.
3) Infinite loop (CVE-ID: CVE-2021-3737)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop. A remote attacker who controls a malicious server can force the client to enter an infinite loop on a 100 Continue response.
Remediation
Install update from vendor's website.