CVE-2021-3737
Advisory lineage Upstream: 0 Downstream: 32
Modified
Published: 04 Mar 2022, 00:00
Last modified:17 Dec 2025, 21:32
Vulnerability Summary
Overall Risk (default)
medium
40/100 CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
0.12% LOW
0% probability -0.05%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
04 Mar 2022, 00:00
Published
Vulnerability first disclosed
17 Dec 2025, 21:32
Last Modified
Vulnerability information updated
Description
A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- v2.0•HIGH•Score: 7.1AV:N/AC:M/Au:N/C:N/I:N/A:C
EPSS Trends
Current EPSS score: 0.12%• Percentile: 30%
Techniques & Countermeasures
- CWE-835•Loop with Unreachable Exit Condition ('Infinite Loop')
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
- CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
Affected Systems
- canonical•ubuntu_linux
14.04 | 16.04 | 18.04 | 20.04 | 21.04
- fedoraproject•fedora
33 | 34
- netapp•hci
na
- netapp•management_services_for_element_software
na
- netapp•netapp_xcp_smb
na
- netapp•ontap_select_deploy_administration_utility
na
- netapp•xcp_nfs
na
- oracle•communications_cloud_native_core_binding_support_function
22.1.3
- oracle•communications_cloud_native_core_network_exposure_function
22.1.1
- oracle•communications_cloud_native_core_policy
22.2.0
- python•python
≥ 3.6.0, < 3.6.14 | ≥ 3.7.0, < 3.7.11 | ≥ 3.8.0, < 3.8.11 | ≥ 3.9.0, < 3.9.6
- redhat•codeready_linux_builder
8.0
- redhat•codeready_linux_builder_for_ibm_z_systems
8.0
- redhat•codeready_linux_builder_for_power_little_endian
8.0
- redhat•enterprise_linux
6.0 | 7.0 | 8.0
- redhat•enterprise_linux_for_ibm_z_systems
8.0
- redhat•enterprise_linux_for_power_little_endian
8.0
References (12)
- https://bugs.python.org/issue44022
- https://github.com/python/cpython/pull/25916
- https://bugzilla.redhat.com/show_bug.cgi?id=1995162
- https://github.com/python/cpython/pull/26503
- https://ubuntu.com/security/CVE-2021-3737
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://python-security.readthedocs.io/vuln/urllib-100-continue-loop.html
- https://security.netapp.com/advisory/ntap-20220407-0009/
- https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
- https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
- https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
- https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html