ID CVE-2011-1521
Summary The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.
References
Vulnerable Configurations
  • cpe:2.3:a:python:python:2.0:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.2:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.6.4:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.6.5:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.6.5:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.6.6:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.6.6:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.6.7:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.6.7:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:2.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:2.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.0:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.2:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.2:alpha:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.2:alpha:*:*:*:*:*:*
CVSS
Base: 6.4 (as of 25-10-2019 - 11:53)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:P
redhat via4
advisories
  • bugzilla
    id 690560
    title CVE-2011-1521 python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes (Issue #11662)
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhba:tst:20070304025
      • OR
        • AND
          • comment python is earlier than 0:2.3.4-14.10.el4
            oval oval:com.redhat.rhsa:tst:20110491001
          • comment python is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060197002
        • AND
          • comment python-devel is earlier than 0:2.3.4-14.10.el4
            oval oval:com.redhat.rhsa:tst:20110491003
          • comment python-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060197004
        • AND
          • comment python-docs is earlier than 0:2.3.4-14.10.el4
            oval oval:com.redhat.rhsa:tst:20110491005
          • comment python-docs is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060197006
        • AND
          • comment python-tools is earlier than 0:2.3.4-14.10.el4
            oval oval:com.redhat.rhsa:tst:20110491007
          • comment python-tools is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060197008
        • AND
          • comment tkinter is earlier than 0:2.3.4-14.10.el4
            oval oval:com.redhat.rhsa:tst:20110491009
          • comment tkinter is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060197010
    rhsa
    id RHSA-2011:0491
    released 2011-05-05
    severity Moderate
    title RHSA-2011:0491: python security update (Moderate)
  • bugzilla
    id 690560
    title CVE-2011-1521 python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes (Issue #11662)
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhba:tst:20070331005
      • OR
        • AND
          • comment python is earlier than 0:2.4.3-44.el5
            oval oval:com.redhat.rhsa:tst:20110492001
          • comment python is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20091176002
        • AND
          • comment python-devel is earlier than 0:2.4.3-44.el5
            oval oval:com.redhat.rhsa:tst:20110492003
          • comment python-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20091176004
        • AND
          • comment python-libs is earlier than 0:2.4.3-44.el5
            oval oval:com.redhat.rhsa:tst:20110492005
          • comment python-libs is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20110027006
        • AND
          • comment python-tools is earlier than 0:2.4.3-44.el5
            oval oval:com.redhat.rhsa:tst:20110492007
          • comment python-tools is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20091176006
        • AND
          • comment tkinter is earlier than 0:2.4.3-44.el5
            oval oval:com.redhat.rhsa:tst:20110492009
          • comment tkinter is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20091176008
    rhsa
    id RHSA-2011:0492
    released 2011-05-05
    severity Moderate
    title RHSA-2011:0492: python security update (Moderate)
  • bugzilla
    id 690560
    title CVE-2011-1521 python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes (Issue #11662)
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 6 is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • comment python-docs is earlier than 0:2.6.6-2.el6
            oval oval:com.redhat.rhsa:tst:20110554001
          • comment python-docs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110554002
        • AND
          • comment python is earlier than 0:2.6.6-20.el6
            oval oval:com.redhat.rhsa:tst:20110554003
          • comment python is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110554004
        • AND
          • comment python-devel is earlier than 0:2.6.6-20.el6
            oval oval:com.redhat.rhsa:tst:20110554005
          • comment python-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110554006
        • AND
          • comment python-libs is earlier than 0:2.6.6-20.el6
            oval oval:com.redhat.rhsa:tst:20110554007
          • comment python-libs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110554008
        • AND
          • comment python-test is earlier than 0:2.6.6-20.el6
            oval oval:com.redhat.rhsa:tst:20110554009
          • comment python-test is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110554010
        • AND
          • comment python-tools is earlier than 0:2.6.6-20.el6
            oval oval:com.redhat.rhsa:tst:20110554011
          • comment python-tools is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110554012
        • AND
          • comment tkinter is earlier than 0:2.6.6-20.el6
            oval oval:com.redhat.rhsa:tst:20110554013
          • comment tkinter is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110554014
    rhsa
    id RHSA-2011:0554
    released 2011-05-19
    severity Moderate
    title RHSA-2011:0554: python security, bug fix, and enhancement update (Moderate)
rpms
  • python-0:2.3.4-14.10.el4
  • python-debuginfo-0:2.3.4-14.10.el4
  • python-devel-0:2.3.4-14.10.el4
  • python-docs-0:2.3.4-14.10.el4
  • python-tools-0:2.3.4-14.10.el4
  • tkinter-0:2.3.4-14.10.el4
  • python-0:2.4.3-44.el5
  • python-debuginfo-0:2.4.3-44.el5
  • python-devel-0:2.4.3-44.el5
  • python-libs-0:2.4.3-44.el5
  • python-tools-0:2.4.3-44.el5
  • tkinter-0:2.4.3-44.el5
  • python-0:2.6.6-20.el6
  • python-debuginfo-0:2.6.6-20.el6
  • python-devel-0:2.6.6-20.el6
  • python-docs-0:2.6.6-2.el6
  • python-libs-0:2.6.6-20.el6
  • python-test-0:2.6.6-20.el6
  • python-tools-0:2.6.6-20.el6
  • tkinter-0:2.6.6-20.el6
refmap via4
apple APPLE-SA-2011-10-12-3
confirm
mandriva MDVSA-2011:096
mlist
  • [oss-security] 20110324 CVE Request -- Python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes
  • [oss-security] 20110328 Re: CVE Request -- Python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes
  • [oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws
  • [oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws
  • [oss-security] 20110916 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws
sectrack 1025488
secunia
  • 50858
  • 51024
  • 51040
suse SUSE-SR:2011:009
ubuntu
  • USN-1592-1
  • USN-1596-1
  • USN-1613-1
  • USN-1613-2
Last major update 25-10-2019 - 11:53
Published 24-05-2011 - 23:55
Last modified 25-10-2019 - 11:53
Back to Top