Описание
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
A vulnerability was found in python. This security flaw causes an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of the URI path. This issue may lead to information disclosure.
Отчет
This vulnerability is rated as a moderate because in Python's http.server module, an input validation flaw in lib/http/server.py allows for an open redirection. This issue is triggered when a remote, unauthenticated attacker (Attack Vector: Network, Privileges Required: None) convinces a user to access a crafted URL that begins with two forward slashes (//) leads to an information disclosure. Versions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 are marked as 'Not affected' as they just provide "symlinks" to the main python3 component, which provides the actual interpreter of the Python programming language.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | python | Not affected | ||
| Red Hat Enterprise Linux 7 | python | Not affected | ||
| Red Hat Enterprise Linux 7 | python3 | Out of support scope | ||
| Red Hat Enterprise Linux 8 | python2 | Not affected | ||
| Red Hat Enterprise Linux 8 | python27:2.7/python2 | Not affected | ||
| Red Hat Enterprise Linux 8 | python36 | Not affected | ||
| Red Hat Enterprise Linux 8 | python36:3.6/python36 | Not affected | ||
| Red Hat Enterprise Linux 8 | python38 | Affected | ||
| Red Hat Enterprise Linux 8 | python3 | Fixed | RHSA-2023:0833 | 21.02.2023 |
| Red Hat Enterprise Linux 8 | python38 | Fixed | RHSA-2023:2763 | 16.05.2023 |
Показывать по
Дополнительная информация
Статус:
7.4 High
CVSS3
Связанные уязвимости
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
Python 3.x through 3.10 has an open redirection vulnerability in lib/h ...
7.4 High
CVSS3