CVE-2021-28861: High severity IBM Security Verify Access Docker vulnerability

Published Aug 22, 2022
·
Updated

DISPUTED Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."

Other sources

A vulnerability was found in python. This security flaw causes an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of the URI path. This issue may lead to information disclosure.

An open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure.

References:

https://bugs.python.org/issue43223

Red Hat

Python could allow a remote attacker to conduct phishing attacks, caused by

Affected Software

26 affected componentsFixes available
redhat/python3<0:3.6.8-48.el8_7.1
0:3.6.8-48.el8_7.1
redhat/python3.9<0:3.9.14-1.el9
0:3.9.14-1.el9
redhat/rh-python38-python<0:3.8.14-1.el7
0:3.8.14-1.el7
IBM Security Verify Access Docker<=10.0.X
IBM Security Verify Access<=10.0.X
debian/pypy3<=7.3.5+dfsg-2+deb11u2
7.3.5+dfsg-2+deb11u47.3.11+dfsg-2+deb12u37.3.19+dfsg-1
debian/python2.7<=2.7.18-8+deb11u1
debian/python3.11
3.11.2-6+deb12u53.11.2-6+deb12u3
debian/python3.9<=3.9.2-1
3.9.2-1+deb11u3
Python Python>=3.0.0<3.7.14
Python Python>=3.8.0<3.8.14
Python Python>=3.9.0<3.9.14
Python Python>=3.10.0<3.10.6
Python Python=3.11.0-alpha1
Python Python=3.11.0-alpha2
Python Python=3.11.0-alpha3
Python Python=3.11.0-alpha4
Python Python=3.11.0-alpha5
Python Python=3.11.0-alpha6
Python Python=3.11.0-alpha7
Python Python=3.11.0-beta1
Python Python=3.11.0-beta2
Python Python=3.11.0-beta3
Fedoraproject Fedora=35
Fedoraproject Fedora=36
Fedoraproject Fedora=37

Remediation

Patch Available

https://github.com/python/cpython/pull/24848

Patch Available

https://github.com/python/cpython/pull/93879

Event History

Aug 22, 2022
CVE Published
12:00 AM
Aug 23, 2022
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Disputed
01:15 AM
Data Sourced
via NVD·01:15 AM
RemedyDescriptionSeverityWeaknessAffected Software
Data Sourced
via Red Hat·01:02 PM
DescriptionSeverityAffected Software
Apr 19, 2023
Data Sourced
via IBM·12:00 AM
DescriptionSeverityAffected Software
Jan 12, 2024
Data Sourced
via Launchpad·06:02 PM
Description
Sep 20, 2024
Data Sourced
via Ubuntu·06:41 PM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2021-28861?

CVE-2021-28861 is a vulnerability in Python 3.x through 3.10 that causes an open redirection vulnerability in lib/http/server.py.

2

How does CVE-2021-28861 affect the software?

CVE-2021-28861 affects Python 3.x through 3.10.

3

What is the severity of CVE-2021-28861?

CVE-2021-28861 has a severity rating of high.

4

What is the impact of CVE-2021-28861?

CVE-2021-28861 may lead to information disclosure.

5

How can CVE-2021-28861 be fixed?

To fix CVE-2021-28861, update to the recommended versions of Python that have the patch applied.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203