CVE-2021-33503

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-33503

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33503.json

Aliases

GHSA-q2q7-5pp4-w6pg
PYSEC-2021-108

Related

ALSA-2021:4160
ALSA-2021:4162
RLSA-2021:4160
RLSA-2021:4162
USN-5812-1

Published

2021-06-29T11:15:07Z

Modified

2023-11-29T08:55:20.229770Z

Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

References

https://github.com/advisories/GHSA-q2q7-5pp4-w6pg
https://security.gentoo.org/glsa/202107-36
https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec
https://www.oracle.com/security-alerts/cpuoct2021.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/

Affected packages

Git / github.com/urllib3/urllib3

Affected ranges

Type: GIT
Repo: https://github.com/urllib3/urllib3
Events: Fixed

2d4a3fee6de2fa45eb82169361918f759269b4ec

Introduced

7e856c04723036934fe314c63701466e4f42d2ee

Affected versions

1.*

1.25.4

1.25.5

1.25.6

1.25.7

1.25.8

1.26.0

1.26.1

1.26.2

1.26.3

1.26.4