Open Redirect Affecting python-tk package, versions <2.7.18-150000.44.1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-SLES152-PYTHONTK-3050938
- published 18 Oct 2022
- disclosed 17 Oct 2022
Introduced: 17 Oct 2022
CVE-2021-28861 Open this link in a new tabHow to fix?
Upgrade SLES:15.2 python-tk to version 2.7.18-150000.44.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream python-tk package and not the python-tk package as distributed by SLES.
See How to fix? for SLES:15.2 relevant fixed versions and status.
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
References
- https://www.suse.com/security/cve/CVE-2021-28861.html
- https://bugzilla.suse.com/1202624
- https://bugzilla.suse.com/1204077
- https://bugzilla.suse.com/1204801
- https://bugzilla.suse.com/1204802
- https://bugzilla.suse.com/1205068
- https://bugzilla.suse.com/1205075
- https://bugzilla.suse.com/1205467
- https://bugs.python.org/issue43223
- https://github.com/python/cpython/pull/24848
- https://github.com/python/cpython/pull/93879
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2TRINJE3INWDVIHIABW4L2NP3RUSK7BJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LTSPFIULY2GZJN3QYNFVM4JSU6H4D6J/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5OABQ5CMPQETJLFHROAXDIDXCMDTNVYG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DISZAFSIQ7IAPAEQTC7G2Z5QUA2V2PSW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HPX4XHT2FGVQYLY2STT2MRVENILNZTTU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3MQT5ZE3QH5PVDJMERTBOCILHK35CBE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFGV7P2PYFBMK32OKHCAC2ZPJQV5AUDF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRGKPYA5YHIXQAMRIXO5DSCX7D4UUW4Q/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OKYE2DOI2X7WZXAWTQJZAXYIWM37HDCY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLE5INSVJUZJGY5OJXV6JREXWD7UDHYN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G66SRWUM36ENQ3X6LAIG7HAB27D4XJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZEPOPUFC42KXXSLFPZ47ZZRGPOR7SQE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WXF6MQ74HVIDDSR5AE2UDR24I6D4FEPC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X46T4EFTIBXZRYTGASBDEZGYJINH2OWV/
- https://security.gentoo.org/glsa/202305-02
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2TRINJE3INWDVIHIABW4L2NP3RUSK7BJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5LTSPFIULY2GZJN3QYNFVM4JSU6H4D6J/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5OABQ5CMPQETJLFHROAXDIDXCMDTNVYG/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DISZAFSIQ7IAPAEQTC7G2Z5QUA2V2PSW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPX4XHT2FGVQYLY2STT2MRVENILNZTTU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3MQT5ZE3QH5PVDJMERTBOCILHK35CBE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IFGV7P2PYFBMK32OKHCAC2ZPJQV5AUDF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KRGKPYA5YHIXQAMRIXO5DSCX7D4UUW4Q/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OKYE2DOI2X7WZXAWTQJZAXYIWM37HDCY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLE5INSVJUZJGY5OJXV6JREXWD7UDHYN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7G66SRWUM36ENQ3X6LAIG7HAB27D4XJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZEPOPUFC42KXXSLFPZ47ZZRGPOR7SQE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXF6MQ74HVIDDSR5AE2UDR24I6D4FEPC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X46T4EFTIBXZRYTGASBDEZGYJINH2OWV/