themagicalmammal/wikibot

CVE-2021-21240 (High) detected in httplib2-0.18.1.tar.gz - autoclosed

Closed this issue · 3 comments

CVE-2021-21240 - High Severity Vulnerability

Vulnerable Library - httplib2-0.18.1.tar.gz

A comprehensive HTTP client library.

Library home page: https://files.pythonhosted.org/packages/98/3f/0769a851fbb0ecc458260055da67d550d3015ebe6b8b861c79ad00147bb9/httplib2-0.18.1.tar.gz

Path to dependency file: wikibot/requirements.txt

Path to vulnerable library: wikibot/requirements.txt

Dependency Hierarchy:

  • google_api_python_client-1.12.8-py2.py3-none-any.whl (Root Library)
    • httplib2-0.18.1.tar.gz (Vulnerable Library)

Found in HEAD commit: c6bf4b5a3ae9d6a08215141dc07c0566281ec8c9

Found in base branch: master

Vulnerability Details

httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.

Publish Date: 2021-02-08

URL: CVE-2021-21240

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-93xj-8mrv-444m

Release Date: 2021-02-08

Fix Resolution: v0.19.0


Step up your Open Source Security Game with WhiteSource here

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.