CVE-2021-23336

Name of the Vulnerable Software and Affected Versions python/cpython versions 0 through 3.6.13 python/cpython versions 3.7.0 through 3.7.10 python/cpython versions 3.8.0 through 3.8.8 python/cpython versions 3.9.0 through 3.9.2

Description The issue is related to Web Cache Poisoning via urllib.parse.parse qsl and urllib.parse.parse qs by using a vector called parameter cloaking. When an attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones. The vulnerability arises from the unexpected behavior in parameter handling functions. For example, in the case of Apache Tomcat, when analyzing two identical parameters, it takes the value of the first occurrence.

Recommendations For versions 0 through 3.6.13, update to a version later than 3.6.13 to resolve the issue. For versions 3.7.0 through 3.7.10, update to a version later than 3.7.10 to resolve the issue. For versions 3.8.0 through 3.8.8, update to a version later than 3.8.8 to resolve the issue. For versions 3.9.0 through 3.9.2, update to a version later than 3.9.2 to resolve the issue. As a temporary workaround, consider restricting the use of the urllib.parse.parse qsl and urllib.parse.parse qs functions until a patch is available. Avoid using the semicolon (;) as a separator in query parameters to minimize the risk of exploitation.