ID CVE-2011-1521
Summary The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.
References
Vulnerable Configurations
  • cpe:2.3:a:python:python:2.0:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.2:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.6.4:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.6.5:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.6.5:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.6.6:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.6.6:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.6.7:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.6.7:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.0:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.2:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.2:alpha:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.2:alpha:*:*:*:*:*:*
CVSS
Base: 6.4 (as of 25-10-2019 - 11:53)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:P
redhat via4
advisories
  • bugzilla
    id 690560
    title CVE-2011-1521 python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes (Issue #11662)
    oval
    AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    • OR
      • AND
        • comment python is earlier than 0:2.3.4-14.10.el4
          oval oval:com.redhat.rhsa:tst:20110491002
        • comment python is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060713003
      • AND
        • comment python-devel is earlier than 0:2.3.4-14.10.el4
          oval oval:com.redhat.rhsa:tst:20110491004
        • comment python-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060713009
      • AND
        • comment python-docs is earlier than 0:2.3.4-14.10.el4
          oval oval:com.redhat.rhsa:tst:20110491006
        • comment python-docs is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060713013
      • AND
        • comment python-tools is earlier than 0:2.3.4-14.10.el4
          oval oval:com.redhat.rhsa:tst:20110491008
        • comment python-tools is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060713007
      • AND
        • comment tkinter is earlier than 0:2.3.4-14.10.el4
          oval oval:com.redhat.rhsa:tst:20110491010
        • comment tkinter is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060713005
    rhsa
    id RHSA-2011:0491
    released 2011-05-05
    severity Moderate
    title RHSA-2011:0491: python security update (Moderate)
  • bugzilla
    id 690560
    title CVE-2011-1521 python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes (Issue #11662)
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment python is earlier than 0:2.4.3-44.el5
          oval oval:com.redhat.rhsa:tst:20110492002
        • comment python is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091176003
      • AND
        • comment python-devel is earlier than 0:2.4.3-44.el5
          oval oval:com.redhat.rhsa:tst:20110492008
        • comment python-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091176005
      • AND
        • comment python-libs is earlier than 0:2.4.3-44.el5
          oval oval:com.redhat.rhsa:tst:20110492006
        • comment python-libs is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20110027005
      • AND
        • comment python-tools is earlier than 0:2.4.3-44.el5
          oval oval:com.redhat.rhsa:tst:20110492010
        • comment python-tools is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091176009
      • AND
        • comment tkinter is earlier than 0:2.4.3-44.el5
          oval oval:com.redhat.rhsa:tst:20110492004
        • comment tkinter is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091176007
    rhsa
    id RHSA-2011:0492
    released 2011-05-05
    severity Moderate
    title RHSA-2011:0492: python security update (Moderate)
  • bugzilla
    id 690560
    title CVE-2011-1521 python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes (Issue #11662)
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment python-docs is earlier than 0:2.6.6-2.el6
          oval oval:com.redhat.rhsa:tst:20110554005
        • comment python-docs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554006
      • AND
        • comment python is earlier than 0:2.6.6-20.el6
          oval oval:com.redhat.rhsa:tst:20110554007
        • comment python is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554008
      • AND
        • comment python-devel is earlier than 0:2.6.6-20.el6
          oval oval:com.redhat.rhsa:tst:20110554009
        • comment python-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554010
      • AND
        • comment python-libs is earlier than 0:2.6.6-20.el6
          oval oval:com.redhat.rhsa:tst:20110554013
        • comment python-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554014
      • AND
        • comment python-test is earlier than 0:2.6.6-20.el6
          oval oval:com.redhat.rhsa:tst:20110554015
        • comment python-test is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554016
      • AND
        • comment python-tools is earlier than 0:2.6.6-20.el6
          oval oval:com.redhat.rhsa:tst:20110554011
        • comment python-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554012
      • AND
        • comment tkinter is earlier than 0:2.6.6-20.el6
          oval oval:com.redhat.rhsa:tst:20110554017
        • comment tkinter is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554018
    rhsa
    id RHSA-2011:0554
    released 2011-05-19
    severity Moderate
    title RHSA-2011:0554: python security, bug fix, and enhancement update (Moderate)
rpms
  • python-0:2.3.4-14.10.el4
  • python-devel-0:2.3.4-14.10.el4
  • python-docs-0:2.3.4-14.10.el4
  • python-tools-0:2.3.4-14.10.el4
  • tkinter-0:2.3.4-14.10.el4
  • python-0:2.4.3-44.el5
  • python-devel-0:2.4.3-44.el5
  • python-libs-0:2.4.3-44.el5
  • python-tools-0:2.4.3-44.el5
  • tkinter-0:2.4.3-44.el5
  • python-docs-0:2.6.6-2.el6
  • python-0:2.6.6-20.el6
  • python-devel-0:2.6.6-20.el6
  • python-libs-0:2.6.6-20.el6
  • python-test-0:2.6.6-20.el6
  • python-tools-0:2.6.6-20.el6
  • tkinter-0:2.6.6-20.el6
refmap via4
apple APPLE-SA-2011-10-12-3
confirm
mandriva MDVSA-2011:096
mlist
  • [oss-security] 20110324 CVE Request -- Python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes
  • [oss-security] 20110328 Re: CVE Request -- Python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes
  • [oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws
  • [oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws
  • [oss-security] 20110916 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws
sectrack 1025488
secunia
  • 50858
  • 51024
  • 51040
suse SUSE-SR:2011:009
ubuntu
  • USN-1592-1
  • USN-1596-1
  • USN-1613-1
  • USN-1613-2
Last major update 25-10-2019 - 11:53
Published 24-05-2011 - 23:55
Back to Top