summaryrefslogtreecommitdiffstats
path: root/contrib
diff options
context:
space:
mode:
authorLee Chee Yang <chee.yang.lee@intel.com>2021-03-03 00:12:22 +0800
committerTim Orling <timothy.t.orling@intel.com>2021-06-15 09:15:13 -0700
commit53455fdfac7136c43bc1187f4c74d4e4228a98a8 (patch)
treed04445b6fab34a933f9c70fa3e3eb9b01eb79fe0 /contrib
parent2246b0d7a71c69eb2e89c55991d1387069895466 (diff)
downloadopenembedded-core-contrib-timo/dunfell/python3-CVE-2021-23336.tar.gz
python3: fix CVE-2021-23336timo/dunfell/python3-CVE-2021-23336
From: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> """ The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. """ References: https://nvd.nist.gov/vuln/detail/CVE-2021-23336 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336 Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
Diffstat (limited to 'contrib')
0 files changed, 0 insertions, 0 deletions