CVE-2021-23336

Name	CVE-2021-23336
Description	The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2569-1, DLA-2619-1, DLA-2628-1, DLA-3164-1, DLA-3575-1, ELA-435-1, ELA-572-1
Debian Bugs	983090

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pypy3 (PTS)	buster	7.0.0+dfsg-3	vulnerable
	bullseye (security), bullseye	7.3.5+dfsg-2+deb11u2	fixed
	bookworm	7.3.11+dfsg-2+deb12u1	fixed
	trixie	7.3.15+dfsg-1	fixed
	sid	7.3.16+dfsg-1	fixed
python-django (PTS)	jessie, jessie (lts)	1.7.11-1+deb8u16	fixed
	stretch (security)	1:1.10.7-2+deb9u17	fixed
	stretch (lts), stretch	1:1.10.7-2+deb9u21	fixed
	buster	1:1.11.29-1~deb10u1	vulnerable
	buster (security)	1:1.11.29-1+deb10u11	fixed
	bullseye (security), bullseye	2:2.2.28-1~deb11u2	fixed
	bookworm (security), bookworm	3:3.2.19-1+deb12u1	fixed
	sid, trixie	3:4.2.11-1	fixed
python2.7 (PTS)	jessie, jessie (lts)	2.7.9-2-ds1-1+deb8u12	fixed
	stretch (security)	2.7.13-2+deb9u6	fixed
	stretch (lts), stretch	2.7.13-2+deb9u9	fixed
	buster	2.7.16-2+deb10u1	vulnerable
	buster (security)	2.7.16-2+deb10u4	fixed
	bullseye	2.7.18-8+deb11u1	fixed
python3.4 (PTS)	jessie, jessie (lts)	3.4.2-1+deb8u17	fixed
python3.5 (PTS)	stretch (security)	3.5.3-1+deb9u5	fixed
	stretch (lts), stretch	3.5.3-1+deb9u9	fixed
python3.7 (PTS)	buster	3.7.3-2+deb10u3	vulnerable
	buster (security)	3.7.3-2+deb10u7	vulnerable
python3.9 (PTS)	bullseye	3.9.2-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
pypy3	source	(unstable)	7.3.3+dfsg-3
python-django	source	jessie	(not affected)
python-django	source	stretch	1:1.10.7-2+deb9u11	DLA-2569-1
python-django	source	buster	1:1.11.29-1+deb10u2	DLA-3164-1
python-django	source	(unstable)	2:2.2.19-1		983090
python2.7	source	experimental	2.7.18-13.1~exp1
python2.7	source	jessie	2.7.9-2-ds1-1+deb8u7	ELA-435-1
python2.7	source	stretch	2.7.13-2+deb9u5	DLA-2628-1
python2.7	source	buster	2.7.16-2+deb10u3	DLA-3575-1
python2.7	source	bullseye	2.7.18-8+deb11u1
python2.7	source	(unstable)	2.7.18-13.1
python3.4	source	jessie	3.4.2-1+deb8u12	ELA-572-1
python3.4	source	(unstable)	(unfixed)
python3.5	source	stretch	3.5.3-1+deb9u4	DLA-2619-1
python3.5	source	(unstable)	(unfixed)
python3.7	source	(unstable)	(unfixed)
python3.8	source	(unstable)	(unfixed)
python3.9	source	(unstable)	3.9.2-1

Notes

[buster] - python3.9 <ignored> (Will break existing applications, don't backport to released suites)
[buster] - python3.7 <ignored> (Will break existing applications, don't backport to released suites)
[buster] - pypy3 <no-dsa> (Minor issue)
https://github.com/python/cpython/pull/24297
https://github.com/python/cpython/commit/fcbe0cb04d35189401c0c880ebfb4311e952d776 (master)
https://github.com/python/cpython/commit/c9f07813ab8e664d8c34413c4fc2d4f86c061a92 (3.9)
https://github.com/python/cpython/commit/d0d4d30882fe3ab9b1badbecf5d15d94326fd13e (3.7)
https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/
[jessie] - python-django <not-affected> (Vulnerable code not present)