Search criteria
9 vulnerabilities found for httplib2 by httplib2_project
FKIE_CVE-2021-21240
Vulnerability from fkie_nvd - Published: 2021-02-08 20:15 - Updated: 2024-11-21 05:47
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| httplib2_project | httplib2 | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:httplib2_project:httplib2:*:*:*:*:*:python:*:*",
"matchCriteriaId": "D5BA135E-6889-4A5D-88F6-1AD4DBC498BE",
"versionEndExcluding": "0.19.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library."
},
{
"lang": "es",
"value": "httplib2 es una biblioteca cliente HTTP completa para Python.\u0026#xa0;En httplib2 anterior a la versi\u00f3n 0.19.0, un servidor malicioso que responde con una larga serie de caracteres \"\\xa0\" en el encabezado \"www-authenticate\" puede causar una Denegaci\u00f3n de Servicio (CPU quemada mientras analiza el encabezado) del cliente httplib2 que accede a dicho servidor.\u0026#xa0;Esto se corrigi\u00f3 en la versi\u00f3n 0.19.0, que contiene una nueva implementaci\u00f3n de an\u00e1lisis de encabezados de autenticaci\u00f3n usando la biblioteca pyparsing"
}
],
"id": "CVE-2021-21240",
"lastModified": "2024-11-21T05:47:50.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-08T20:15:12.197",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/httplib2/httplib2/pull/182"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://pypi.org/project/httplib2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/httplib2/httplib2/pull/182"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://pypi.org/project/httplib2"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2020-11078
Vulnerability from fkie_nvd - Published: 2020-05-20 16:15 - Updated: 2024-11-21 04:56
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Summary
In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| httplib2_project | httplib2 | * | |
| fedoraproject | fedora | 31 | |
| fedoraproject | fedora | 32 | |
| debian | debian_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:httplib2_project:httplib2:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AD58F185-66FE-4DD5-845F-7AF423F1859B",
"versionEndExcluding": "0.18.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0."
},
{
"lang": "es",
"value": "En httplib2 versiones anteriores a 0.18.0, un atacante controla una parte no escapada de un uri para la funci\u00f3n \"httplib2.Http.request()\" pod\u00eda cambiar los encabezados y el cuerpo de las peticiones, enviar peticiones ocultas adicionales hacia el mismo servidor. Esta vulnerabilidad impacta al software que usa httplib2 con un uri construido mediante una concatenaci\u00f3n en cadena, a diferencia de una construcci\u00f3n apropiada de urllib con escape. Esto ha sido corregido en la versi\u00f3n 0.18.0."
}
],
"id": "CVE-2020-11078",
"lastModified": "2024-11-21T04:56:44.373",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-20T16:15:10.657",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-93"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2013-2037
Vulnerability from fkie_nvd - Published: 2014-01-18 21:55 - Updated: 2025-04-11 00:51
Severity ?
Summary
httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | ubuntu_linux | 10.04 | |
| canonical | ubuntu_linux | 12.04 | |
| canonical | ubuntu_linux | 12.10 | |
| canonical | ubuntu_linux | 13.04 | |
| httplib2_project | httplib2 | * | |
| httplib2_project | httplib2 | 0.8 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "5D37DF0F-F863-45AC-853A-3E04F9FEC7CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*",
"matchCriteriaId": "E2076871-2E80-4605-A470-A41C1A8EC7EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*",
"matchCriteriaId": "EFAA48D9-BEB4-4E49-AD50-325C262D46D9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:httplib2_project:httplib2:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E89F2147-19E4-4F5F-B3E2-E264981D54DE",
"versionEndIncluding": "0.7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:httplib2_project:httplib2:0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "7F0D0D16-9282-4326-A5F0-3EA92499D884",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."
},
{
"lang": "es",
"value": "httplib2 0.7.2, 0.8 y anteriores, despues de la conexi\u00f3n inicial, no verifica que el hostname del servidor es igual al nombre de dominio en el Common Name (CN) del asunto o el campo subjectAltName del certificado X.509, lo cual permite a atacantes man-in-the-middle falsear servidores SSL a trav\u00e9s de un certificado v\u00e1lido arbitrario."
}
],
"id": "CVE-2013-2037",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-01-18T21:55:03.503",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Mailing List",
"Third Party Advisory"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706602"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://code.google.com/p/httplib2/issues/detail?id=282"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2013/q2/257"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/52179"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.ubuntu.com/usn/USN-1948-1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://bugs.launchpad.net/httplib2/+bug/1175272"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Mailing List",
"Third Party Advisory"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706602"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://code.google.com/p/httplib2/issues/detail?id=282"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2013/q2/257"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/52179"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.ubuntu.com/usn/USN-1948-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://bugs.launchpad.net/httplib2/+bug/1175272"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2021-21240 (GCVE-0-2021-21240)
Vulnerability from cvelistv5 – Published: 2021-02-08 19:45 – Updated: 2024-08-03 18:09
VLAI?
Summary
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:14.827Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/httplib2/httplib2/pull/182"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pypi.org/project/httplib2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "httplib2",
"vendor": "httplib2",
"versions": [
{
"status": "affected",
"version": "\u003c 0.19.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-08T19:45:19",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/httplib2/httplib2/pull/182"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pypi.org/project/httplib2"
}
],
"source": {
"advisory": "GHSA-93xj-8mrv-444m",
"discovery": "UNKNOWN"
},
"title": "Regular Expression Denial of Service in httplib2",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21240",
"STATE": "PUBLIC",
"TITLE": "Regular Expression Denial of Service in httplib2"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "httplib2",
"version": {
"version_data": [
{
"version_value": "\u003c 0.19.0"
}
]
}
}
]
},
"vendor_name": "httplib2"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m",
"refsource": "CONFIRM",
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"
},
{
"name": "https://github.com/httplib2/httplib2/pull/182",
"refsource": "MISC",
"url": "https://github.com/httplib2/httplib2/pull/182"
},
{
"name": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc",
"refsource": "MISC",
"url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"
},
{
"name": "https://pypi.org/project/httplib2",
"refsource": "MISC",
"url": "https://pypi.org/project/httplib2"
}
]
},
"source": {
"advisory": "GHSA-93xj-8mrv-444m",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21240",
"datePublished": "2021-02-08T19:45:19",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:14.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11078 (GCVE-0-2020-11078)
Vulnerability from cvelistv5 – Published: 2020-05-20 16:00 – Updated: 2024-08-04 11:21
VLAI?
Summary
In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
Severity ?
6.8 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:14.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
},
{
"name": "[allura-commits] 20200521 [allura] branch master updated: Upgrade httplib2 for CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200601 [SECURITY] [DLA 2232-1] python-httplib2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
},
{
"name": "[beam-issues] 20200602 [jira] [Created] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E"
},
{
"name": "FEDORA-2020-a7a15a9687",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
},
{
"name": "FEDORA-2020-37779a5c93",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
},
{
"name": "[beam-issues] 20200802 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200802 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "httplib2",
"vendor": "httplib2",
"versions": [
{
"status": "affected",
"version": "\u003c 0.81.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-16T18:06:04",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
},
{
"name": "[allura-commits] 20200521 [allura] branch master updated: Upgrade httplib2 for CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200601 [SECURITY] [DLA 2232-1] python-httplib2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
},
{
"name": "[beam-issues] 20200602 [jira] [Created] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E"
},
{
"name": "FEDORA-2020-a7a15a9687",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
},
{
"name": "FEDORA-2020-37779a5c93",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
},
{
"name": "[beam-issues] 20200802 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200802 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E"
}
],
"source": {
"advisory": "GHSA-gg84-qgv9-w4pq",
"discovery": "UNKNOWN"
},
"title": "CRLF injection in httplib2",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-11078",
"STATE": "PUBLIC",
"TITLE": "CRLF injection in httplib2"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "httplib2",
"version": {
"version_data": [
{
"version_value": "\u003c 0.81.0"
}
]
}
}
]
},
"vendor_name": "httplib2"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq",
"refsource": "CONFIRM",
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
},
{
"name": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e",
"refsource": "MISC",
"url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
},
{
"name": "[allura-commits] 20200521 [allura] branch master updated: Upgrade httplib2 for CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89@%3Ccommits.allura.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200601 [SECURITY] [DLA 2232-1] python-httplib2 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
},
{
"name": "[beam-issues] 20200602 [jira] [Created] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc@%3Cissues.beam.apache.org%3E"
},
{
"name": "FEDORA-2020-a7a15a9687",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
},
{
"name": "FEDORA-2020-37779a5c93",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
},
{
"name": "[beam-issues] 20200802 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f@%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200802 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23@%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202@%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1@%3Cissues.beam.apache.org%3E"
}
]
},
"source": {
"advisory": "GHSA-gg84-qgv9-w4pq",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-11078",
"datePublished": "2020-05-20T16:00:16",
"dateReserved": "2020-03-30T00:00:00",
"dateUpdated": "2024-08-04T11:21:14.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-2037 (GCVE-0-2013-2037)
Vulnerability from cvelistv5 – Published: 2014-01-18 21:00 – Updated: 2024-08-06 15:20
VLAI?
Summary
httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.launchpad.net/httplib2/+bug/1175272"
},
{
"name": "[oss-security] 20130501 Re: CVE Request: httplib2 ssl cert incorrect error handling",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2013/q2/257"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://code.google.com/p/httplib2/issues/detail?id=282"
},
{
"name": "USN-1948-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-1948-1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706602"
},
{
"name": "52179",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/52179"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-05-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-25T19:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.launchpad.net/httplib2/+bug/1175272"
},
{
"name": "[oss-security] 20130501 Re: CVE Request: httplib2 ssl cert incorrect error handling",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2013/q2/257"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://code.google.com/p/httplib2/issues/detail?id=282"
},
{
"name": "USN-1948-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-1948-1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706602"
},
{
"name": "52179",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/52179"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2037",
"datePublished": "2014-01-18T21:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:20:37.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21240 (GCVE-0-2021-21240)
Vulnerability from nvd – Published: 2021-02-08 19:45 – Updated: 2024-08-03 18:09
VLAI?
Summary
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:14.827Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/httplib2/httplib2/pull/182"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pypi.org/project/httplib2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "httplib2",
"vendor": "httplib2",
"versions": [
{
"status": "affected",
"version": "\u003c 0.19.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-08T19:45:19",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/httplib2/httplib2/pull/182"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pypi.org/project/httplib2"
}
],
"source": {
"advisory": "GHSA-93xj-8mrv-444m",
"discovery": "UNKNOWN"
},
"title": "Regular Expression Denial of Service in httplib2",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21240",
"STATE": "PUBLIC",
"TITLE": "Regular Expression Denial of Service in httplib2"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "httplib2",
"version": {
"version_data": [
{
"version_value": "\u003c 0.19.0"
}
]
}
}
]
},
"vendor_name": "httplib2"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m",
"refsource": "CONFIRM",
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"
},
{
"name": "https://github.com/httplib2/httplib2/pull/182",
"refsource": "MISC",
"url": "https://github.com/httplib2/httplib2/pull/182"
},
{
"name": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc",
"refsource": "MISC",
"url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"
},
{
"name": "https://pypi.org/project/httplib2",
"refsource": "MISC",
"url": "https://pypi.org/project/httplib2"
}
]
},
"source": {
"advisory": "GHSA-93xj-8mrv-444m",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21240",
"datePublished": "2021-02-08T19:45:19",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:14.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11078 (GCVE-0-2020-11078)
Vulnerability from nvd – Published: 2020-05-20 16:00 – Updated: 2024-08-04 11:21
VLAI?
Summary
In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
Severity ?
6.8 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:14.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
},
{
"name": "[allura-commits] 20200521 [allura] branch master updated: Upgrade httplib2 for CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200601 [SECURITY] [DLA 2232-1] python-httplib2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
},
{
"name": "[beam-issues] 20200602 [jira] [Created] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E"
},
{
"name": "FEDORA-2020-a7a15a9687",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
},
{
"name": "FEDORA-2020-37779a5c93",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
},
{
"name": "[beam-issues] 20200802 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200802 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "httplib2",
"vendor": "httplib2",
"versions": [
{
"status": "affected",
"version": "\u003c 0.81.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-16T18:06:04",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
},
{
"name": "[allura-commits] 20200521 [allura] branch master updated: Upgrade httplib2 for CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200601 [SECURITY] [DLA 2232-1] python-httplib2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
},
{
"name": "[beam-issues] 20200602 [jira] [Created] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E"
},
{
"name": "FEDORA-2020-a7a15a9687",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
},
{
"name": "FEDORA-2020-37779a5c93",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
},
{
"name": "[beam-issues] 20200802 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200802 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E"
}
],
"source": {
"advisory": "GHSA-gg84-qgv9-w4pq",
"discovery": "UNKNOWN"
},
"title": "CRLF injection in httplib2",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-11078",
"STATE": "PUBLIC",
"TITLE": "CRLF injection in httplib2"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "httplib2",
"version": {
"version_data": [
{
"version_value": "\u003c 0.81.0"
}
]
}
}
]
},
"vendor_name": "httplib2"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq",
"refsource": "CONFIRM",
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
},
{
"name": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e",
"refsource": "MISC",
"url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
},
{
"name": "[allura-commits] 20200521 [allura] branch master updated: Upgrade httplib2 for CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89@%3Ccommits.allura.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200601 [SECURITY] [DLA 2232-1] python-httplib2 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
},
{
"name": "[beam-issues] 20200602 [jira] [Created] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc@%3Cissues.beam.apache.org%3E"
},
{
"name": "FEDORA-2020-a7a15a9687",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
},
{
"name": "FEDORA-2020-37779a5c93",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
},
{
"name": "[beam-issues] 20200802 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f@%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200802 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23@%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202@%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1@%3Cissues.beam.apache.org%3E"
}
]
},
"source": {
"advisory": "GHSA-gg84-qgv9-w4pq",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-11078",
"datePublished": "2020-05-20T16:00:16",
"dateReserved": "2020-03-30T00:00:00",
"dateUpdated": "2024-08-04T11:21:14.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-2037 (GCVE-0-2013-2037)
Vulnerability from nvd – Published: 2014-01-18 21:00 – Updated: 2024-08-06 15:20
VLAI?
Summary
httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.launchpad.net/httplib2/+bug/1175272"
},
{
"name": "[oss-security] 20130501 Re: CVE Request: httplib2 ssl cert incorrect error handling",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2013/q2/257"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://code.google.com/p/httplib2/issues/detail?id=282"
},
{
"name": "USN-1948-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-1948-1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706602"
},
{
"name": "52179",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/52179"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-05-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-25T19:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.launchpad.net/httplib2/+bug/1175272"
},
{
"name": "[oss-security] 20130501 Re: CVE Request: httplib2 ssl cert incorrect error handling",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2013/q2/257"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://code.google.com/p/httplib2/issues/detail?id=282"
},
{
"name": "USN-1948-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-1948-1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706602"
},
{
"name": "52179",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/52179"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2037",
"datePublished": "2014-01-18T21:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:20:37.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}