PT-2022-9905 · Python+9 · Python+9
Hamza Avvan
+1
·
Published
2022-08-04
·
Updated
2025-11-14
·
CVE-2021-28861
CVSS v3.1
7.4
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Python versions 3.x through 3.10
Description
The issue is related to an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path, which may lead to information disclosure. It is noted that this is disputed by a third party because the http.server.html documentation page states that http.server is not recommended for production and only implements basic security checks.
Recommendations
For versions 3.x through 3.10, consider disabling the use of http.server for production environments, as recommended by the documentation, to minimize the risk of exploitation.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Centos
Debian
Linuxmint
Python
Red Hat
Rocky Linux
Suse
Ubuntu