DEBIAN-CVE-2021-23336

Advisory lineage Upstream: 1 Downstream: 5

Upstream

CVE-2021-23336

Downstream

DLA-2569-1 DLA-2619-1 DLA-2628-1 DLA-3164-1 DLA-3575-1

Published: 15 Feb 2021, 13:15

Last modified:28 Apr 2026, 20:21

Vulnerability Summary

Overall Risk (default)

low

24/100

CVSS Score

5.9 MEDIUM

3.1 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

15 Feb 2021, 13:15

Published

Vulnerability first disclosed

28 Apr 2026, 20:21

Last Modified

Vulnerability information updated

Description

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

CVSS Metrics

v3.1•MEDIUM•Score: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H

Affected Systems

debian•pypy3
< 7.3.3+dfsg-3 | < 7.3.3+dfsg-3 | < 7.3.3+dfsg-3 | < 7.3.3+dfsg-3
debian•python-django
< 2:2.2.19-1 | < 2:2.2.19-1 | < 2:2.2.19-1 | < 2:2.2.19-1
debian•python2.7
< 2.7.18-8+deb11u1
debian•python3.9
< 3.9.2-1

References (1)

https://security-tracker.debian.org/tracker/CVE-2021-23336