7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
7.5 High
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
59.1%
DISPUTED Python 3.x through 3.10 has an open redirection
vulnerability in lib/http/server.py due to no protection against multiple
(/) at the beginning of URI path which may leads to information disclosure.
NOTE: this is disputed by a third party because the http.server.html
documentation page states “Warning: http.server is not recommended for
production. It only implements basic security checks.”
Author | Note |
---|---|
Priority reason: Works as documented, and disputed as being a security issue | |
mdeslaur | This CVE has now been disputed by the upstream developers, marking remaining releases as not-affected |
github.com/python/cpython/pull/24848
github.com/python/cpython/pull/93879
launchpad.net/bugs/cve/CVE-2021-28861
nvd.nist.gov/vuln/detail/CVE-2021-28861
python-security.readthedocs.io/vuln/http-server-redirection.html
security-tracker.debian.org/tracker/CVE-2021-28861
ubuntu.com/security/notices/USN-5629-1
ubuntu.com/security/notices/USN-5888-1
www.cve.org/CVERecord?id=CVE-2021-28861
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
7.5 High
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
59.1%