Lucene search

K
archlinuxArchLinuxASA-202205-1
HistoryMay 16, 2022 - 12:00 a.m.

[ASA-202205-1] python-httpx: access restriction bypass

2022-05-1600:00:00
security.archlinux.org
19

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

Arch Linux Security Advisory ASA-202205-1

Severity: Critical
Date : 2022-05-16
CVE-ID : CVE-2021-41945
Package : python-httpx
Type : access restriction bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-2718

Summary

The package python-httpx before version 0.22.0-2 is vulnerable to
access restriction bypass.

Resolution

Upgrade to 0.22.0-2.

pacman -Syu “python-httpx>=0.22.0-2”

The problem has been fixed upstream but no release is available yet.

Workaround

None.

Description

A vulnerability was found in the httpx.URL, httpx.Clientand
`httpx.URL.copy_with’ functions of the python-httpx package allowing an
attacker to bypass access restrictions.

Impact

An attacker can access sensitive information using a maliciously
crafted HTTP request.

References

https://github.com/archlinux/svntogit-community/commit/6bc11df9ae9b7644e58a54bdfd706720a2f952bc
https://gist.github.com/lebr0nli/4edb76bbd3b5ff993cf44f2fbce5e571
https://github.com/advisories/GHSA-h8pj-cxx2-jfg2
https://github.com/encode/httpx/discussions/1831
https://github.com/encode/httpx/issues/2184
https://github.com/encode/httpx/pull/2185
https://security.archlinux.org/CVE-2021-41945

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanypython-httpx< 0.22.0-2UNKNOWN

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

Related for ASA-202205-1