CVE-2021-21240

Name
CVE-2021-21240
Description
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Patch https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc
Patch https://github.com/httplib2/httplib2/pull/182
Exploit https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m
Product https://pypi.org/project/httplib2

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:httplib2_project:httplib2:*:*:*:*:*:python:*:* py3-httplib2 >= None < 0.19.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
py3-httplib2 3.13-community 0.18.1-r0 Fabian Affolter <fabian@affolter-engineering.ch> possibly vulnerable
py3-httplib2 3.11-main 0.14.0-r2 Fabian Affolter <fabian@affolter-engineering.ch> possibly vulnerable