CVE-2021-3737

HIGH

Python - DoS

Title source: llm

Description

A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.

References (12)

[Exploit, Issue Tracking, Vendor Advisory] https://bugs.python.org/issue44022

[Issue Tracking, Patch, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1995162

[Patch, Third Party Advisory] https://github.com/python/cpython/pull/25916

[Patch, Third Party Advisory] https://github.com/python/cpython/pull/26503

[Mailing List] https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html

[Mailing List] https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html

[Patch, Third Party Advisory] https://python-security.readthedocs.io/vuln/urllib-100-continue-loop.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20220407-0009/

[Patch, Third Party Advisory] https://ubuntu.com/security/CVE-2021-3737

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html

Scores

CVSS v3 7.5

EPSS 0.0012

EPSS Percentile 30.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-400 CWE-835

Status published

Affected Products (24)

python/python < 3.6.14

redhat/codeready_linux_builder

redhat/codeready_linux_builder_for_ibm_z_systems

redhat/codeready_linux_builder_for_power_little_endian

redhat/enterprise_linux

redhat/enterprise_linux

redhat/enterprise_linux

redhat/enterprise_linux_for_ibm_z_systems

redhat/enterprise_linux_for_power_little_endian

fedoraproject/fedora

fedoraproject/fedora

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

... and 9 more

Timeline

Published Mar 04, 2022

Tracked Since Feb 18, 2026