{"id":"PYSEC-2021-16","details":"httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.","aliases":["CVE-2021-21240","GHSA-93xj-8mrv-444m"],"modified":"2023-11-01T04:54:09.559230Z","published":"2021-02-08T20:15:00Z","references":[{"type":"FIX","url":"https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"},{"type":"WEB","url":"https://github.com/httplib2/httplib2/pull/182"},{"type":"ADVISORY","url":"https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"},{"type":"PACKAGE","url":"https://pypi.org/project/httplib2"}],"affected":[{"package":{"name":"httplib2","ecosystem":"PyPI","purl":"pkg:pypi/httplib2"},"ranges":[{"type":"GIT","repo":"https://github.com/httplib2/httplib2","events":[{"introduced":"0"},{"fixed":"bd9ee252c8f099608019709e22c0d705e98d26bc"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.19.0"}]}],"versions":["0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.7.5","0.7.6","0.7.7","0.8","0.9","0.9.1","0.9.2","0.10.3","0.11.0","0.11.1","0.11.3","0.12.0","0.12.1","0.12.3","0.13.0","0.13.1","0.14.0","0.15.0","0.16.0","0.17.0","0.17.1","0.17.2","0.17.3","0.17.4","0.18.0","0.18.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/httplib2/PYSEC-2021-16.yaml"}}],"schema_version":"1.7.3"}