VDB
CVE-2021-21240
CVE-2021-21240
PUBLISHED
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
EPSS 1.99% · 83.9th percentile
Risk Scores
EPSS Score
1.99%
83.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | python-httplib2 | 0, 0.9.2+dfsg-1ubuntu0.3, 0.9.2+dfsg-1ubuntu0.2 |
| Ubuntu:22.04:LTS | python-httplib2 | 0.20.2-2, 0.18.1-3ubuntu1, 0 |
| Ubuntu:20.04:LTS | python-httplib2 | 0, 0.11.3-2, 0.11.3-2build1 |
| Ubuntu:16.04:LTS | python-httplib2 | 0.9.1+dfsg-1, 0, * |
| Ubuntu:14.04:LTS | python-httplib2 | 0.8-2build1, 0.8-2, 0 |
Timeline
- Feb 8, 2021 CVE Published
- Apr 14, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Sep 23, 2024 CVE Updated
- Mar 17, 2025 EPSS Score
- Mar 22, 2025 EPSS Score
- Mar 29, 2025 EPSS Score
- Mar 30, 2025 EPSS Score
- Apr 17, 2025 EPSS Score
- Apr 26, 2025 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-21240 third-party-advisory
- https://github.com/httplib2/httplib2/pull/182 third-party-advisory
- https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m third-party-advisory
- https://pypi.org/project/httplib2 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-21240 third-party-advisory