Add CVE-2021-23336

bugs.txt

@@ -319,3 +319,8 @@
     author: Jordy Zomer
     date: 2021-01-16.08:03:26.704
     title: '[security] ctypes double representation BoF'
+42967:
+    author: Adam Goldschmidt
+    date: 2021-01-19.15:06:48.939
+    title: '[CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; `
+        as a query args separator'

commit_dates.txt

@@ -93,6 +93,7 @@
 59bdf6392de446de8a19bfa37cee52981612830e: Thu Mar 12 11:12:51 2015 +0200
 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4: Wed Jul 15 13:51:00 2020 +0200
 5bdff60617e6fc1d2e387a0b165cb23b82d7dae6: Tue Mar 11 21:18:06 2008 +0000
+5c17dfc5d70ce88be99bc5769b91ce79d7a90d61: Mon Feb 15 11:16:43 2021 -0800
 5ce3f10aeea711bb912e948fa5d9f63736df1327: Thu Jan 9 14:50:20 2014 +0200
 5e808f92ea4eb238b17757526b99f97debf7dd57: Fri Oct 19 16:09:23 2018 -0700
 5ea3d0f95b51009fa1c3409e7dd1c12006427ccc: Mon Nov 1 15:18:09 2010 +0000
@@ -205,12 +206,14 @@ c50d437e942d4c4c45c8cd76329b05340c02eb31: Wed May 8 18:33:24 2019 +0200
 c55479556db015f48fc8bbca17f64d3e65598559: Wed Jul 15 05:30:53 2020 -0700
 c9516754067d71fd7429a25ccfcb2141fc583523: Sat Mar 3 22:59:12 2018 -0800
 c9cb18d3f7e5bf03220c213183ff0caa75905bdd: Tue Sep 30 14:12:24 2014 +0200
+c9f07813ab8e664d8c34413c4fc2d4f86c061a92: Mon Feb 15 10:03:31 2021 -0800
 ca75fec1ed358f7324272608ca952b2d8226d11a: Sun Jul 19 02:27:35 2020 -0700
 cac9ca8ed99bd98f4c0dcd1913a146192bf5ee84: Thu Jul 16 21:48:01 2020 +0200
 cb5778f00ce48631c7140f33ba242496aaf7102b: Tue Sep 18 14:38:58 2018 +0200
 cb6085138a845f8324adc011b65754acc2086cc0: Fri Nov 22 06:42:13 2019 -0800
 cc54c1c0d2d05fe7404ba64c53df4b1352ed2262: Wed Jul 12 14:51:46 2017 +0200
 cfc7ff8d05f7a949a88b8a8dd506fb5c1c30d3e9: Wed Jul 1 01:00:22 2020 +0530
+d0d4d30882fe3ab9b1badbecf5d15d94326fd13e: Mon Feb 15 10:34:14 2021 -0800
 d0e61bded5256e775e470e2c0da22367a1a81970: Wed Aug 16 18:05:57 2017 +0200
 d16eaf36795da48b930b80b20d3805bc27820712: Mon Feb 25 22:02:17 2019 +0100
 d174d24a5d37d1516b885dc7c82f71ecd5930700: Fri Jun 23 19:39:27 2017 +0300
@@ -233,6 +236,7 @@ dd15f6c315f20c1a9a540dd757cd63e27dbe9f3c: Sun Mar 16 00:07:10 2008 +0000
 e052d40cea15f582b50947f7d906b39744dc62a2: Sat Mar 3 22:18:17 2018 -0800
 e176e0c105786e9f476758eb5438c57223b65e7f: Thu Mar 19 02:35:44 2020 +0100
 e260f092cd0d8975c777e73ca6fb549d59b5d452: Sun Mar 17 04:24:03 2019 +0530
+e3110c3cfbb7daa690d54d0eff6c264c870a71bf: Mon Feb 15 10:15:02 2021 -0800
 e37ef41289b77e0f0bb9a6aedb0360664c55bdd5: Thu Mar 7 09:08:45 2019 -0800
 e3e7d40514e5dd0c3847682a719577efcfae1d8f: Sun Nov 23 21:02:02 2014 -0600
 e46f1c19642ea1882f427d8246987ba49351a97d: Wed Jul 19 05:40:10 2017 +0300
@@ -268,6 +272,7 @@ f91a0b6df14d6c5133fe3d5889fad7d84fc0c046: Fri Jun 12 17:33:19 2020 +0200
 fa53dbdec818b0f2a0e22ca12a49d83ec948fc91: Fri Mar 10 01:49:11 2017 +0100
 faad6bbea6c86e30c770eb0a3648e2cd52b2e55e: Fri Dec 5 20:02:38 2014 -0500
 fbf648ebba32bbc5aa571a4b09e2062a65fd2492: Mon Jan 13 22:59:38 2014 -0500
+fcbe0cb04d35189401c0c880ebfb4311e952d776: Mon Feb 15 00:41:57 2021 +0200
 fd1771dbdd28709716bd531580c40ae5ed814468: Tue Jun 4 11:43:52 2019 -0700
 fd8614c5c5466a14a945db5b059c10c0fb8f76d9: Fri Dec 8 22:34:12 2017 +0100
 fe82c46327effc124ff166e1fa1e611579e1176b: Tue Jul 11 13:24:10 2017 +0300

cve/CVE-2021-23336.json

@@ -0,0 +1,20 @@
+{
+    "Modified": "2021-02-15T13:15:00",
+    "Published": "2021-02-15T13:15:00",
+    "access": {},
+    "assigner": "cve@mitre.org",
+    "cvss": null,
+    "cwe": "Unknown",
+    "id": "CVE-2021-23336",
+    "impact": {},
+    "last-modified": "2021-02-15T13:15:00",
+    "references": [
+        "https://github.com/python/cpython/pull/24297",
+        "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/",
+        "https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933"
+    ],
+    "summary": "The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.",
+    "vulnerable_configuration": [],
+    "vulnerable_configuration_cpe_2_2": [],
+    "vulnerable_product": []
+}

vulnerabilities.yaml

@@ -1633,3 +1633,30 @@
    - 3.10: 916610ef90a0d0761f08747f7b0905541f0977c7
   description: |
     There's a buffer overflow in the ctypes ``PyCArg_repr()`` function.
+
+- name: "urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator"
+  slug: urllib-query-string-semicolon-separator
+  cve: CVE-2021-23336
+  bpo: 42967
+  links:
+   - https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/
+  fixed-in:
+   - 3.10: fcbe0cb04d35189401c0c880ebfb4311e952d776
+   - 3.9: c9f07813ab8e664d8c34413c4fc2d4f86c061a92
+   - 3.8: e3110c3cfbb7daa690d54d0eff6c264c870a71bf
+   - 3.7: d0d4d30882fe3ab9b1badbecf5d15d94326fd13e
+   - 3.6: 5c17dfc5d70ce88be99bc5769b91ce79d7a90d61
+  description: |
+    The urlparse module treats semicolon as a separator, whereas most proxies
+    today only take ampersands as separators.
+
+    When the attacker can separate query parameters using a semicolon ``;``,
+    they can cause a difference in the interpretation of the request between
+    the proxy (running with default configuration) and the server. This can
+    result in malicious requests being cached as completely safe ones, as the
+    proxy would usually not see the semicolon as a separator, and therefore
+    would not include it in a cache key of an unkeyed parameter - such as
+    `utm_*` parameters, which are usually unkeyed.
+
+    The fix is to only ampersands ``&`` as the only separator, and add
+    a *separator* parameter to chose the separator characters.