Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXEycTctNXBwNC13NnBn
Catastrophic backtracking in URL authority parser when passed URL containing many @ characters
Impact
When provided with a URL containing many @
characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Patches
The issue has been fixed in urllib3 v1.26.5.
References
For more information
If you have any questions or comments about this advisory:
- Ask in our community Discord
- Email [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXEycTctNXBwNC13NnBn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: 7 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-q2q7-5pp4-w6pg, CVE-2021-33503
References:
- https://github.com/urllib3/urllib3/security/advisories/GHSA-q2q7-5pp4-w6pg
- https://nvd.nist.gov/vuln/detail/CVE-2021-33503
- https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec
- https://github.com/advisories/GHSA-q2q7-5pp4-w6pg
- https://lists.fedoraproject.org/archives/list/[email protected]/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/
- https://security.gentoo.org/glsa/202107-36
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/urllib3/urllib3/commit/5b047b645f5f93900d5e2fc31230848c25eb1f5f#diff-52026d639119bf1e0364836b4e8a18bd9ed3c95c6ba39b26534a5057a65e35bbR65
Affected Packages
pypi:urllib3
Dependent packages: 3,966Dependent repositories: 422,295
Downloads: 484,399,983 last month
Affected Version Ranges: >= 1.25.4, < 1.26.5
Fixed in: 1.26.5
All affected versions: 1.25.4, 1.25.5, 1.25.6, 1.25.7, 1.25.8, 1.25.9, 1.25.10, 1.25.11, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.26.4
All unaffected versions: 0.3.1, 0.4.0, 0.4.1, 1.0.1, 1.0.2, 1.2.1, 1.2.2, 1.7.1, 1.8.2, 1.8.3, 1.9.1, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.13.1, 1.15.1, 1.18.1, 1.19.1, 1.21.1, 1.24.1, 1.24.2, 1.24.3, 1.25.1, 1.25.2, 1.25.3, 1.26.5, 1.26.6, 1.26.7, 1.26.8, 1.26.9, 1.26.10, 1.26.11, 1.26.12, 1.26.13, 1.26.14, 1.26.15, 1.26.16, 1.26.17, 1.26.18, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.1.0, 2.2.0, 2.2.1