netapp inventory-collect-tool CVE-2021-23336 vulnerability in NetApp and Other Products
Published on February 15, 2021

Web Cache Poisoning

product logo product logo product logo product logo product logo product logo
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2021-23336 is exploitable with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
HIGH

Weakness Type

What is a HTTP Request Smuggling Vulnerability?

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.

CVE-2021-23336 has been classified to as a HTTP Request Smuggling vulnerability or weakness.


Products Associated with CVE-2021-23336

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-23336 are published in these products:

NetApp Inventory Collect Tool
 
NetApp Ontap Select Deploy Administration Utility
 
NetApp Snapcenter
 
Python
 
Debian Linux
 
Fedora Project Fedora
 
Django Project Django
 
Oracle Zfs Storage Appliance
 
Oracle Communications Offline Mediation Controller
 
Oracle Communications Pricing Design Center
 
NetApp Cloud Backup
 
Oracle Enterprise Manager Ops Center
 

Exploit Probability

EPSS
0.30%
Percentile
52.94%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.