CVE - CVE-2021-23336

CVE-ID
CVE-2021-23336	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://security.netapp.com/advisory/ntap-20210326-0004/ URL:https://security.netapp.com/advisory/ntap-20210326-0004/ FEDORA:FEDORA-2021-12df7f7382 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/ FEDORA:FEDORA-2021-1bb399a5af URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/ FEDORA:FEDORA-2021-2897f5366c URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/ FEDORA:FEDORA-2021-309bc2e727 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/ FEDORA:FEDORA-2021-3352c1c802 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/ FEDORA:FEDORA-2021-5a09621ebb URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/ FEDORA:FEDORA-2021-7547ad987f URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/ FEDORA:FEDORA-2021-7c1bb32d13 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/ FEDORA:FEDORA-2021-7d3a9004e2 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/ FEDORA:FEDORA-2021-907f3bacae URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/ FEDORA:FEDORA-2021-98720f3785 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/ FEDORA:FEDORA-2021-b1843407ca URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/ FEDORA:FEDORA-2021-b326fcb83f URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/ FEDORA:FEDORA-2021-b6b6093b3a URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/ FEDORA:FEDORA-2021-b76ede8f4d URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/ FEDORA:FEDORA-2021-e22bb0e548 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/ FEDORA:FEDORA-2021-e525e48886 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/ FEDORA:FEDORA-2021-ef83e8525a URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/ FEDORA:FEDORA-2021-f4fd9372c7 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/ GENTOO:GLSA-202104-04 URL:https://security.gentoo.org/glsa/202104-04 MISC:https://github.com/python/cpython/pull/24297 URL:https://github.com/python/cpython/pull/24297 MISC:https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/ URL:https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/ MISC:https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933 URL:https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933 MISC:https://www.oracle.com//security-alerts/cpujul2021.html URL:https://www.oracle.com//security-alerts/cpujul2021.html MISC:https://www.oracle.com/security-alerts/cpuApr2021.html URL:https://www.oracle.com/security-alerts/cpuApr2021.html MISC:https://www.oracle.com/security-alerts/cpujan2022.html URL:https://www.oracle.com/security-alerts/cpujan2022.html MISC:https://www.oracle.com/security-alerts/cpuoct2021.html URL:https://www.oracle.com/security-alerts/cpuoct2021.html MLIST:[airflow-users] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL URL:https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E MLIST:[announce] 20210501 Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL URL:https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E MLIST:[debian-lts-announce] 20210219 [SECURITY] [DLA 2569-1] python-django security update URL:https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html MLIST:[debian-lts-announce] 20210405 [SECURITY] [DLA 2619-1] python3.5 security update URL:https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html MLIST:[debian-lts-announce] 20210417 [SECURITY] [DLA 2628-1] python2.7 security update URL:https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html MLIST:[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update URL:https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html MLIST:[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar URL:https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E MLIST:[oss-security] 20210219 Django security releases: CVE-2021-23336: Web cache poisoning via ``django.utils.http.limited_parse_qsl()`` URL:http://www.openwall.com/lists/oss-security/2021/02/19/4 MLIST:[oss-security] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL URL:http://www.openwall.com/lists/oss-security/2021/05/01/2
Assigning CNA
Snyk
Date Record Created
20210108	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20210108)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)