Vulnerability Description
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Httplib2 Project | Httplib2 | < 0.19.0 |
Related Weaknesses (CWE)
References
- https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98dPatchThird Party Advisory
- https://github.com/httplib2/httplib2/pull/182PatchThird Party Advisory
- https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444mExploitMitigationThird Party Advisory
- https://pypi.org/project/httplib2ProductThird Party Advisory
- https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98dPatchThird Party Advisory
- https://github.com/httplib2/httplib2/pull/182PatchThird Party Advisory
- https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444mExploitMitigationThird Party Advisory
- https://pypi.org/project/httplib2ProductThird Party Advisory
FAQ
What is CVE-2021-21240?
CVE-2021-21240 is a vulnerability with a CVSS score of 7.5 (HIGH). httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header ...
How severe is CVE-2021-21240?
CVE-2021-21240 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-21240?
Check the references section above for vendor advisories and patch information. Affected products include: Httplib2 Project Httplib2.