CVE-2021-3737

Description

A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.

How to fix CVE-2021-3737

To remediate CVE-2021-3737, upgrade the affected package to a fixed version below.

• Bitnami/libpython—upgrade to 3.6.14 or later
• —upgrade to 3.6.14 or later
• —upgrade to 3.6.14 or later
• —upgrade to 7.3.5+dfsg-2+deb11u4 or later
• —no fix listed
• —upgrade to 3.9.2-1+deb11u2 or later

Is CVE-2021-3737 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• >= 3.6.0, < 3.6.14, >= 3.7.0, < 3.7.11, >= 3.8.0, < 3.8.11, >= 3.9.0, < 3.9.6
• >= 3.6.0, < 3.6.14, >= 3.7.0, < 3.7.11, >= 3.8.0, < 3.8.11, >= 3.9.0, < 3.9.6
• >= 3.6.0, < 3.6.14, >= 3.7.0, < 3.7.11, >= 3.8.0, < 3.8.11, >= 3.9.0, < 3.9.6
• from 0, < 7.3.5+dfsg-2+deb11u4
• from 0
• from 0, < 3.9.2-1+deb11u2

CVSS scores

References (14)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-3737
• WEBbugs.python.org/issue44022
• WEBbugzilla.redhat.com/show_bug.cgi?id=1995162
• WEBgithub.com/python/cpython/pull/25916
• WEBgithub.com