Vulnerability Description
A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python | Python | >= 3.6.0, < 3.6.14 |
| Redhat | Codeready Linux Builder | 8.0 |
| Redhat | Codeready Linux Builder For Ibm Z Systems | 8.0 |
| Redhat | Codeready Linux Builder For Power Little Endian | 8.0 |
| Redhat | Enterprise Linux | 6.0 |
| Redhat | Enterprise Linux For Ibm Z Systems | 8.0 |
| Redhat | Enterprise Linux For Power Little Endian | 8.0 |
| Fedoraproject | Fedora | 33 |
| Canonical | Ubuntu Linux | 14.04 |
| Netapp | Hci | - |
| Netapp | Management Services For Element Software | - |
| Netapp | Netapp Xcp Smb | - |
| Netapp | Ontap Select Deploy Administration Utility | - |
| Netapp | Xcp Nfs | - |
| Oracle | Communications Cloud Native Core Binding Support Function | 22.1.3 |
| Oracle | Communications Cloud Native Core Network Exposure Function | 22.1.1 |
| Oracle | Communications Cloud Native Core Policy | 22.2.0 |
Related Weaknesses (CWE)
References
- https://bugs.python.org/issue44022ExploitIssue TrackingVendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1995162Issue TrackingPatchThird Party Advisory
- https://github.com/python/cpython/pull/25916PatchThird Party Advisory
- https://github.com/python/cpython/pull/26503PatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
- https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
- https://python-security.readthedocs.io/vuln/urllib-100-continue-loop.htmlPatchThird Party Advisory
- https://security.netapp.com/advisory/ntap-20220407-0009/Third Party Advisory
- https://ubuntu.com/security/CVE-2021-3737PatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- https://bugs.python.org/issue44022ExploitIssue TrackingVendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1995162Issue TrackingPatchThird Party Advisory
- https://github.com/python/cpython/pull/25916PatchThird Party Advisory
- https://github.com/python/cpython/pull/26503PatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
FAQ
What is CVE-2021-3737?
CVE-2021-3737 is a vulnerability with a CVSS score of 7.5 (HIGH). A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite...
How severe is CVE-2021-3737?
CVE-2021-3737 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-3737?
Check the references section above for vendor advisories and patch information. Affected products include: Python Python, Redhat Codeready Linux Builder, Redhat Codeready Linux Builder For Ibm Z Systems, Redhat Codeready Linux Builder For Power Little Endian, Redhat Enterprise Linux.