Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2021-23336

Public on 2021-02-15
Modified on 2022-05-31
Description

The package python/cpython is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

Severity
Medium
See what this means
CVSS v3 Base Score
5.9
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Core python 2022-05-31 23:50 ALAS2-2022-1802
Amazon Linux 1 python27 2022-05-31 23:47 ALAS-2022-1593
Amazon Linux 2 - Core python3 2021-05-20 16:15 ALAS2-2021-1640
Amazon Linux 1 python34 2021-05-20 21:12 ALAS-2021-1504
Amazon Linux 1 python35 2021-05-06 19:11 ALAS-2021-1498
Amazon Linux 1 python36 2021-05-14 16:53 ALAS-2021-1500

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
NVD CVSSv2 4.0 AV:N/AC:H/Au:N/C:N/I:P/A:P
NVD CVSSv3 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H