CVE Vulnerability

CVE-2021-21240

httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

Scope

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc Patch Third Party Advisory
https://github.com/httplib2/httplib2/pull/182 Patch Third Party Advisory
https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m Exploit Mitigation
https://pypi.org/project/httplib2 Product Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:httplib2_project:httplib2:*:*:*:*:*:python:*:*
Information

Published : 2021-02-08 08:15

Updated : 2021-02-12 02:56

NVD link : CVE-2021-21240

Mitre link : CVE-2021-21240

Products Affected
No products.
CWE
CWE-400