CVE-2011-1521

Severity

64%

Complexity

99%

Confidentiality

81%

The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.

The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.

CVSS 2.0 Base Score 6.4. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P).

Overview

Type

Python

First reported 14 years ago

2011-05-24 23:55:00

Last updated 5 years ago

2019-10-25 11:53:00

Affected Software

Python 2.0

2.0

Python 2.0.1

2.0.1

Python 2.1

2.1

Python 2.1.1

2.1.1

Python 2.1.2

2.1.2

Python 2.1.3

2.1.3

Python 2.2

2.2

Python 2.2.1

2.2.1

Python 2.2.2

2.2.2

Python 2.2.3

2.2.3

Python 2.3.1

2.3.1

Python 2.3.2

2.3.2

Python 2.3.3

2.3.3

Python 2.3.4

2.3.4

Python 2.3.5

2.3.5

Python 2.3.7

2.3.7

Python 2.4.1

2.4.1

Python 2.4.2

2.4.2

Python Python 2.4.3

2.4.3

Python 2.4.4

2.4.4

Python 2.4.6

2.4.6

Python 2.5.1

2.5.1

Python 2.5.2

2.5.2

Python 2.5.3

2.5.3

Python 2.5.4

2.5.4

Python 2.6.1

2.6.1

Python 2.6.4

2.6.4

Python 2.6.5

2.6.5

Python 2.6.6

2.6.6

Python 2.6.7

2.6.7

Python 2.7.1

2.7.1

Python 3.0

3.0

Python 3.0.1

3.0.1

Python 3.1

3.1

Python 3.1.1

3.1.1

Python 3.1.2

3.1.2

Python 3.1.3

3.1.3

Python 3.2

3.2

Python 3.2-alpha

3.2

References

http://bugs.python.org/issue11662

Patch

http://hg.python.org/cpython/file/96a6c128822b/Misc/NEWS

http://hg.python.org/cpython/file/b2934d98dac1/Misc/NEWS

http://hg.python.org/cpython/rev/96a6c128822b/

Patch

http://hg.python.org/cpython/rev/b2934d98dac1/

Patch

APPLE-SA-2011-10-12-3

SUSE-SR:2011:009

[oss-security] 20110324 CVE Request -- Python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes

[oss-security] 20110328 Re: CVE Request -- Python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes

[oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws

[oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws

[oss-security] 20110916 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws

50858

51024

51040

1025488

http://support.apple.com/kb/HT5002

MDVSA-2011:096

USN-1592-1

USN-1596-1

USN-1613-1

USN-1613-2

https://bugzilla.redhat.com/show_bug.cgi?id=690560

Patch

https://bugzilla.redhat.com/show_bug.cgi?id=737366

https://www.djangoproject.com/weblog/2011/sep/09/

https://www.djangoproject.com/weblog/2011/sep/10/127/

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.