CVE-2021-23336

NameCVE-2021-23336
DescriptionThe package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2569-1, DLA-2619-1, DLA-2628-1, DLA-3164-1, DLA-3575-1, ELA-435-1, ELA-572-1
Debian Bugs983090

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pypy (PTS)jessie2.4.0+dfsg-3vulnerable
stretch5.6.0+dfsg-4vulnerable
buster7.0.0+dfsg-3vulnerable
bullseye7.3.3+dfsg-2vulnerable
pypy3 (PTS)buster7.0.0+dfsg-3vulnerable
bullseye (security), bullseye7.3.5+dfsg-2+deb11u2fixed
bookworm7.3.11+dfsg-2+deb12u2fixed
sid, trixie7.3.17+dfsg-2fixed
python-django (PTS)jessie, jessie (lts)1.7.11-1+deb8u17fixed
stretch (security)1:1.10.7-2+deb9u17fixed
stretch (lts), stretch1:1.10.7-2+deb9u23fixed
buster, buster (lts)1:1.11.29-1+deb10u12fixed
buster (security)1:1.11.29-1+deb10u11fixed
bullseye (security), bullseye2:2.2.28-1~deb11u2fixed
bookworm (security), bookworm3:3.2.19-1+deb12u1fixed
sid, trixie3:4.2.16-1fixed
python2.7 (PTS)jessie, jessie (lts)2.7.9-2-ds1-1+deb8u12fixed
stretch (security)2.7.13-2+deb9u6fixed
stretch (lts), stretch2.7.13-2+deb9u9fixed
buster (security), buster, buster (lts)2.7.16-2+deb10u4fixed
bullseye2.7.18-8+deb11u1fixed
python3.4 (PTS)jessie, jessie (lts)3.4.2-1+deb8u18fixed
python3.5 (PTS)stretch (security)3.5.3-1+deb9u5fixed
stretch (lts), stretch3.5.3-1+deb9u10fixed
python3.7 (PTS)buster, buster (lts)3.7.3-2+deb10u8vulnerable
buster (security)3.7.3-2+deb10u7vulnerable
python3.9 (PTS)bullseye3.9.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pypysourcejessie(unfixed)end-of-life
pypysource(unstable)(unfixed)
pypy3source(unstable)7.3.3+dfsg-3
python-djangosourcejessie(not affected)
python-djangosourcestretch1:1.10.7-2+deb9u11DLA-2569-1
python-djangosourcebuster1:1.11.29-1+deb10u2DLA-3164-1
python-djangosource(unstable)2:2.2.19-1983090
python2.7sourceexperimental2.7.18-13.1~exp1
python2.7sourcejessie2.7.9-2-ds1-1+deb8u7ELA-435-1
python2.7sourcestretch2.7.13-2+deb9u5DLA-2628-1
python2.7sourcebuster2.7.16-2+deb10u3DLA-3575-1
python2.7sourcebullseye2.7.18-8+deb11u1
python2.7source(unstable)2.7.18-13.1
python3.4sourcejessie3.4.2-1+deb8u12ELA-572-1
python3.4source(unstable)(unfixed)
python3.5sourcestretch3.5.3-1+deb9u4DLA-2619-1
python3.5source(unstable)(unfixed)
python3.7source(unstable)(unfixed)
python3.8source(unstable)(unfixed)
python3.9source(unstable)3.9.2-1

Notes

[buster] - python3.9 <ignored> (Will break existing applications, don't backport to released suites)
[buster] - python3.7 <ignored> (Will break existing applications, don't backport to released suites)
[buster] - pypy3 <no-dsa> (Minor issue)
https://github.com/python/cpython/pull/24297
https://github.com/python/cpython/commit/fcbe0cb04d35189401c0c880ebfb4311e952d776 (master)
https://github.com/python/cpython/commit/c9f07813ab8e664d8c34413c4fc2d4f86c061a92 (3.9)
https://github.com/python/cpython/commit/d0d4d30882fe3ab9b1badbecf5d15d94326fd13e (3.7)
https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/
[jessie] - python-django <not-affected> (Vulnerable code not present)
Search for package or bug name: Reporting problems