ID CVE-2011-1521
Summary The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.
References
Vulnerable Configurations
  • Python 2.6
    cpe:2.3:a:python:python:2.6
  • Python 2.5.3
    cpe:2.3:a:python:python:2.5.3
  • Python 2.6.1
    cpe:2.3:a:python:python:2.6.1
  • Python 2.3.2
    cpe:2.3:a:python:python:2.3.2
  • Python 2.3.1
    cpe:2.3:a:python:python:2.3.1
  • Python 2.5.2
    cpe:2.3:a:python:python:2.5.2
  • Python 2.4
    cpe:2.3:a:python:python:2.4
  • Python 2.1.2
    cpe:2.3:a:python:python:2.1.2
  • Python 2.1
    cpe:2.3:a:python:python:2.1
  • Python 2.2.1
    cpe:2.3:a:python:python:2.2.1
  • Python 2.2
    cpe:2.3:a:python:python:2.2
  • Python 2.3.4
    cpe:2.3:a:python:python:2.3.4
  • Python Python 2.4.3
    cpe:2.3:a:python:python:2.4.3
  • Python 2.3.5
    cpe:2.3:a:python:python:2.3.5
  • Python 2.3
    cpe:2.3:a:python:python:2.3
  • Python 2.3.3
    cpe:2.3:a:python:python:2.3.3
  • Python 2.2.2
    cpe:2.3:a:python:python:2.2.2
  • Python 2.2.3
    cpe:2.3:a:python:python:2.2.3
  • Python 2.1.1
    cpe:2.3:a:python:python:2.1.1
  • Python 2.7
    cpe:2.3:a:python:python:2.7
  • Python 2.5.1
    cpe:2.3:a:python:python:2.5.1
  • Python 2.5
    cpe:2.3:a:python:python:2.5
  • Python 2.4.4
    cpe:2.3:a:python:python:2.4.4
  • Python 2.4.2
    cpe:2.3:a:python:python:2.4.2
  • Python 2.4.1
    cpe:2.3:a:python:python:2.4.1
  • Python 2.0.1
    cpe:2.3:a:python:python:2.0.1
  • Python 2.0
    cpe:2.3:a:python:python:2.0
  • Python 2.6.4
    cpe:2.3:a:python:python:2.6.4
  • Python 2.3.7
    cpe:2.3:a:python:python:2.3.7
  • Python 2.1.3
    cpe:2.3:a:python:python:2.1.3
  • Python 2.5.4
    cpe:2.3:a:python:python:2.5.4
  • Python 2.4.6
    cpe:2.3:a:python:python:2.4.6
  • Python 2.6.7
    cpe:2.3:a:python:python:2.6.7
  • Python 2.6.6
    cpe:2.3:a:python:python:2.6.6
  • Python 2.6.5
    cpe:2.3:a:python:python:2.6.5
  • Python 2.7.1
    cpe:2.3:a:python:python:2.7.1
  • Python 3.1
    cpe:2.3:a:python:python:3.1
  • Python 3.2-alpha
    cpe:2.3:a:python:python:3.2:alpha
  • Python 3.1.2
    cpe:2.3:a:python:python:3.1.2
  • Python 3.0.1
    cpe:2.3:a:python:python:3.0.1
  • Python 3.1.1
    cpe:2.3:a:python:python:3.1.1
  • Python 3.0
    cpe:2.3:a:python:python:3.0
  • Python 3.1.3
    cpe:2.3:a:python:python:3.1.3
  • Python 3.2
    cpe:2.3:a:python:python:3.2
CVSS
Base: 6.4 (as of 25-05-2011 - 09:28)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_LIBPYTHON2_6-1_0-110506.NASL
    description This update of python fixes a possible denial of service bug or information leakage vulnerability while using user-crafted ftp:// or file:// URLs with urllib(2). - CVE-2011-1521 : CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 54641
    published 2011-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=54641
    title SuSE 11.1 Security Update : Python (SAT Patch Number 4512)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_LIBPYTHON2_6-1_0-110506.NASL
    description This update of python fixes a possible denial of service bug or information leakage vulnerability while using user-crafted ftp:// or file:// URLs with urllib(2). CVE-2011-1521: CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75608
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75608
    title openSUSE Security Update : libpython2_6-1_0 (openSUSE-SU-2011:0484-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_4_LIBPYTHON2_6-1_0-110506.NASL
    description This update of python fixes a possible denial of service bug or information leakage vulnerability while using user-crafted ftp:// or file:// URLs with urllib(2). CVE-2011-1521: CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75916
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75916
    title openSUSE Security Update : libpython2_6-1_0 (openSUSE-SU-2011:0484-1)
  • NASL family Misc.
    NASL id VMWARE_ESXI_5_0_BUILD_608089_REMOTE.NASL
    description The remote VMware ESXi 5.0 host is affected by multiple vulnerabilities : - A denial of service vulnerability exists in the big2_toUtf8() function in file lib/xmltok.c in the libexpat library. A remote attacker can exploit this, via an XML document having malformed UTF-8 sequences, to cause a buffer over-read, thus crashing the application. (CVE-2009-3560) - A denial of service vulnerability exists in the updatePosition() function in file lib/xmltok.c in the libexpat library. A remote attacker can exploit this, via an XML document having malformed UTF-8 sequences, to cause a buffer over-read, thus crashing the application. (CVE-2009-3720) - An integer overflow condition exists in the BZ2_decompress() function in file decompress.c in the bzip2 and libbzip2 library. A remote attacker can exploit this, via a crafted compressed file, to cause a denial of service or the execution of arbitrary code. (CVE-2010-0405) - A denial of service vulnerability exists in the audioop module due to multiple integer overflows conditions in file audioop.c. A remote attacker can exploit this, via a large fragment or argument, to cause a buffer overflow, resulting in an application crash. (CVE-2010-1634) - A denial of service vulnerability exists in the audioop module due to a failure to verify the relationships between size arguments and byte string length. A remote attacker can exploit this, via crafted arguments, to cause memory corruption, resulting in an application crash. (CVE-2010-2089) - A flaw exists in the urllib and urllib2 modules due to processing Location headers that specify redirection to a file. A remote attacker can exploit this, via a crafted URL, to gain sensitive information or cause a denial of service. (CVE-2011-1521) - A privilege escalation vulnerability exists due to an incorrect ACL being used for the VMware Tools folder. An attacker on an adjacent network with access to a guest operating system can exploit this to gain elevated privileges on the guest operating system. (CVE-2012-1518)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 70881
    published 2013-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70881
    title ESXi 5.0 < Build 608089 Multiple Vulnerabilities (remote check)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_PYTHON-7506.NASL
    description This update of python fixes a possible denial of service bug or information leakage vulnerability while using user-crafted ftp:// or file:// URLs with urllib(2). CVE-2011-1521: CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 57248
    published 2011-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57248
    title SuSE 10 Security Update : python (ZYPP Patch Number 7506)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_7_2.NASL
    description The remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.2. This version contains numerous security-related fixes for the following components : - Apache - Application Firewall - ATS - BIND - Certificate Trust Policy - CFNetwork - CoreMedia - CoreProcesses - CoreStorage - File Systems - iChat Server - Kernel - libsecurity - Open Directory - PHP - python - QuickTime - SMB File Server - X11
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 56480
    published 2011-10-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56480
    title Mac OS X 10.7.x < 10.7.2 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_2_LIBPYTHON2_6-1_0-110506.NASL
    description This update of python fixes a possible denial of service bug or information leakage vulnerability while using user-crafted ftp:// or file:// URLs with urllib(2). CVE-2011-1521: CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 53885
    published 2011-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53885
    title openSUSE Security Update : libpython2_6-1_0 (openSUSE-SU-2011:0484-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1596-1.NASL
    description It was discovered that Python would prepend an empty string to sys.path under certain circumstances. A local attacker with write access to the current working directory could exploit this to execute arbitrary code. (CVE-2008-5983) It was discovered that the audioop module did not correctly perform input validation. If a user or automated system were tricked into opening a crafted audio file, an attacker could cause a denial of service via application crash. (CVE-2010-1634, CVE-2010-2089) Giampaolo Rodola discovered several race conditions in the smtpd module. A remote attacker could exploit this to cause a denial of service via daemon outage. (CVE-2010-3493) It was discovered that the CGIHTTPServer module did not properly perform input validation on certain HTTP GET requests. A remote attacker could potentially obtain access to CGI script source files. (CVE-2011-1015) Niels Heinen discovered that the urllib and urllib2 modules would process Location headers that specify a redirection to file: URLs. A remote attacker could exploit this to obtain sensitive information or cause a denial of service. This issue only affected Ubuntu 11.04. (CVE-2011-1521) It was discovered that SimpleHTTPServer did not use a charset parameter in the Content-Type HTTP header. An attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 users. This issue only affected Ubuntu 11.04. (CVE-2011-4940) It was discovered that Python distutils contained a race condition when creating the ~/.pypirc file. A local attacker could exploit this to obtain sensitive information. (CVE-2011-4944) It was discovered that SimpleXMLRPCServer did not properly validate its input when handling HTTP POST requests. A remote attacker could exploit this to cause a denial of service via excessive CPU utilization. (CVE-2012-0845) It was discovered that Python was susceptible to hash algorithm attacks. An attacker could cause a denial of service under certian circumstances. This update adds the '-R' command line option and honors setting the PYTHONHASHSEED environment variable to 'random' to salt str and datetime objects with an unpredictable value. (CVE-2012-1150). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 62436
    published 2012-10-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62436
    title Ubuntu 10.04 LTS / 11.04 / 11.10 : python2.6 vulnerabilities (USN-1596-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_PYTHON-7509.NASL
    description This update of python fixes a possible denial of service bug or information leakage vulnerability while using user-crafted ftp:// or file:// URLs with urllib(2). CVE-2011-1521: CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 54643
    published 2011-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=54643
    title SuSE 10 Security Update : python (ZYPP Patch Number 7509)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1613-1.NASL
    description It was discovered that Python would prepend an empty string to sys.path under certain circumstances. A local attacker with write access to the current working directory could exploit this to execute arbitrary code. (CVE-2008-5983) It was discovered that the audioop module did not correctly perform input validation. If a user or automated system were tricked into opening a crafted audio file, an attacker could cause a denial of service via application crash. (CVE-2010-1634, CVE-2010-2089) Giampaolo Rodola discovered several race conditions in the smtpd module. A remote attacker could exploit this to cause a denial of service via daemon outage. (CVE-2010-3493) It was discovered that the CGIHTTPServer module did not properly perform input validation on certain HTTP GET requests. A remote attacker could potentially obtain access to CGI script source files. (CVE-2011-1015) Niels Heinen discovered that the urllib and urllib2 modules would process Location headers that specify a redirection to file: URLs. A remote attacker could exploit this to obtain sensitive information or cause a denial of service. (CVE-2011-1521) It was discovered that SimpleHTTPServer did not use a charset parameter in the Content-Type HTTP header. An attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 users. (CVE-2011-4940) It was discovered that Python distutils contained a race condition when creating the ~/.pypirc file. A local attacker could exploit this to obtain sensitive information. (CVE-2011-4944) It was discovered that SimpleXMLRPCServer did not properly validate its input when handling HTTP POST requests. A remote attacker could exploit this to cause a denial of service via excessive CPU utilization. (CVE-2012-0845) It was discovered that the Expat module in Python 2.5 computed hash values without restricting the ability to trigger hash collisions predictably. If a user or application using pyexpat were tricked into opening a crafted XML file, an attacker could cause a denial of service by consuming excessive CPU resources. (CVE-2012-0876) Tim Boddy discovered that the Expat module in Python 2.5 did not properly handle memory reallocation when processing XML files. If a user or application using pyexpat were tricked into opening a crafted XML file, an attacker could cause a denial of service by consuming excessive memory resources. (CVE-2012-1148). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 62619
    published 2012-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62619
    title Ubuntu 8.04 LTS : python2.5 vulnerabilities (USN-1613-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2011-096.NASL
    description Multiple vulnerabilities have been identified and fixed in python : The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI (CVE-2011-1015). A flaw was found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects. This caused Python applications using these modules to follow any new URL that they understood, including the file:// URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed (CVE-2011-1521). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149 products_id=490 The updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 54611
    published 2011-05-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=54611
    title Mandriva Linux Security Advisory : python (MDVSA-2011:096)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2011-0492.NASL
    description Updated python packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Python is an interpreted, interactive, object-oriented programming language. A flaw was found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects. This caused Python applications using these modules to follow any new URL that they understood, including the 'file://' URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2011-1521) A race condition was found in the way the Python smtpd module handled new connections. A remote user could use this flaw to cause a Python script using the smtpd module to terminate. (CVE-2010-3493) An information disclosure flaw was found in the way the Python CGIHTTPServer module processed certain HTTP GET requests. A remote attacker could use a specially crafted request to obtain the CGI script's source code. (CVE-2011-1015) A buffer over-read flaw was found in the way the Python Expat parser handled malformed UTF-8 sequences when processing XML files. A specially crafted XML file could cause Python applications using the Python Expat parser to crash while parsing the file. (CVE-2009-3720) This update makes Python use the system Expat library rather than its own internal copy; therefore, users must have the version of Expat shipped with RHSA-2009:1625 installed, or a later version, to resolve the CVE-2009-3720 issue. All Python users should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 53815
    published 2011-05-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53815
    title CentOS 5 : python (CESA-2011:0492)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-0554.NASL
    description Updated python packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Python is an interpreted, interactive, object-oriented programming language. A flaw was found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects. This caused Python applications using these modules to follow any new URL that they understood, including the 'file://' URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2011-1521) A race condition was found in the way the Python smtpd module handled new connections. A remote user could use this flaw to cause a Python script using the smtpd module to terminate. (CVE-2010-3493) An information disclosure flaw was found in the way the Python CGIHTTPServer module processed certain HTTP GET requests. A remote attacker could use a specially crafted request to obtain the CGI script's source code. (CVE-2011-1015) This erratum also upgrades Python to upstream version 2.6.6, and includes a number of bug fixes and enhancements. Documentation for these bug fixes and enhancements is available from the Technical Notes document, linked to in the References section. All users of Python are advised to upgrade to these updated packages, which correct these issues, and fix the bugs and add the enhancements noted in the Technical Notes.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 54592
    published 2011-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=54592
    title RHEL 6 : python (RHSA-2011:0554)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1592-1.NASL
    description