CVE-2021-21240 (High) detected in httplib2-0.18.1.tar.gz - autoclosed
Closed this issue · 3 comments
CVE-2021-21240 - High Severity Vulnerability
Vulnerable Library - httplib2-0.18.1.tar.gz
A comprehensive HTTP client library.
Library home page: https://files.pythonhosted.org/packages/98/3f/0769a851fbb0ecc458260055da67d550d3015ebe6b8b861c79ad00147bb9/httplib2-0.18.1.tar.gz
Path to dependency file: wikibot/requirements.txt
Path to vulnerable library: wikibot/requirements.txt
Dependency Hierarchy:
- google_api_python_client-1.12.8-py2.py3-none-any.whl (Root Library)
- ❌ httplib2-0.18.1.tar.gz (Vulnerable Library)
Found in HEAD commit: c6bf4b5a3ae9d6a08215141dc07c0566281ec8c9
Found in base branch: master
Vulnerability Details
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
Publish Date: 2021-02-08
URL: CVE-2021-21240
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-93xj-8mrv-444m
Release Date: 2021-02-08
Fix Resolution: v0.19.0
Step up your Open Source Security Game with WhiteSource here
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.