#VU67591 Open redirect in Python


Published: 2022-09-22

Vulnerability identifier: #VU67591

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-28861

CWE-ID: CWE-601

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Python
Universal components / Libraries / Scripting languages

Vendor: Python.org

Description

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data in lib/http/server.py due to missing protection against multiple (/) at the beginning of URI path. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Python: 3.0 - 3.10.5

CPE

External links
http://github.com/python/cpython/pull/93879
http://bugs.python.org/issue43223
http://github.com/python/cpython/pull/24848
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OKYE2DOI2X7WZXAWTQJZAXYIWM37HDCY/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell VxRail Appliance components
Multiple vulnerabilities in Dell SRM and Dell Storage Monitoring and Reporting
Red Hat Enterprise Linux 9 update for python3.9
SUSE update for python
SUSE update for python3
SUSE update for python
SUSE update for python3
SUSE update for python
SUSE update for python3
SUSE update for python