CVE-2021-28861

moderate-risk

Published 2022-08-23

Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."

Do I need to act?

1.4% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.4/10 High

NETWORK / LOW complexity

Affected Products (14)

Python

Fedora

Affected Vendors

Python Fedoraproject

References (38)

Issue Tracking https://bugs.python.org/issue43223

Patch https://github.com/python/cpython/pull/24848

Patch https://github.com/python/cpython/pull/93879

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

https://security.gentoo.org/glsa/202305-02

Issue Tracking https://bugs.python.org/issue43223

Patch https://github.com/python/cpython/pull/24848

and 18 more references

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 4/34 · Minimal

Exposure 18/34 · Moderate