CVE-2021-33503
First published: Tue Jun 01 2021(Updated: )
### Impact When provided with a URL containing many `@` characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. ### Patches The issue has been fixed in urllib3 v1.26.5. ### References - [CVE-2021-33503](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33503) - [JVNVU#92413403 (English)](https://jvn.jp/en/vu/JVNVU92413403/) - [JVNVU#92413403 (Japanese)](https://jvn.jp/vu/JVNVU92413403/) - [urllib3 v1.26.5](https://github.com/urllib3/urllib3/releases/tag/1.26.5) ### For more information If you have any questions or comments about this advisory: * Ask in our [community Discord](https://discord.gg/urllib3) * Email [sethmichaellarson@gmail.com](mailto:sethmichaellarson@gmail.com)
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/automation-hub | <0:4.2.6-1.el7 | 0:4.2.6-1.el7 |
| redhat/python3-chardet | <0:3.0.4-3.el7 | 0:3.0.4-3.el7 |
| redhat/python3-click | <0:7.1.2-3.el7 | 0:7.1.2-3.el7 |
| redhat/python3-gnupg | <0:0.4.6-3.el7 | 0:0.4.6-3.el7 |
| redhat/python3-jinja2 | <0:2.11.2-3.el7 | 0:2.11.2-3.el7 |
| redhat/python3-markupsafe | <0:1.1.1-4.el7 | 0:1.1.1-4.el7 |
| redhat/python3-semantic-version | <0:2.8.5-3.el7 | 0:2.8.5-3.el7 |
| redhat/python-galaxy-ng | <0:4.2.6-1.el7 | 0:4.2.6-1.el7 |
| redhat/python-requests | <0:2.25.1-1.el7 | 0:2.25.1-1.el7 |
| redhat/python-urllib3 | <0:1.26.5-1.el7 | 0:1.26.5-1.el7 |
| redhat/automation-hub | <0:4.2.6-1.el8 | 0:4.2.6-1.el8 |
| redhat/python3-click | <0:7.1.2-3.el8 | 0:7.1.2-3.el8 |
| redhat/python3-gnupg | <0:0.4.6-3.el8 | 0:0.4.6-3.el8 |
| redhat/python3-jinja2 | <0:2.11.2-3.el8 | 0:2.11.2-3.el8 |
| redhat/python3-markupsafe | <0:1.1.1-4.el8 | 0:1.1.1-4.el8 |
| redhat/python3-semantic-version | <0:2.8.5-3.el8 | 0:2.8.5-3.el8 |
| redhat/python-galaxy-ng | <0:4.2.6-1.el8 | 0:4.2.6-1.el8 |
| redhat/python-requests | <0:2.25.1-1.el8 | 0:2.25.1-1.el8 |
| redhat/python-urllib3 | <0:1.26.5-1.el8 | 0:1.26.5-1.el8 |
| redhat/rh-python38-babel | <0:2.7.0-12.el7 | 0:2.7.0-12.el7 |
| redhat/rh-python38-python | <0:3.8.11-2.el7 | 0:3.8.11-2.el7 |
| redhat/rh-python38-python-cryptography | <0:2.8-5.el7 | 0:2.8-5.el7 |
| redhat/rh-python38-python-jinja2 | <0:2.10.3-6.el7 | 0:2.10.3-6.el7 |
| redhat/rh-python38-python-lxml | <0:4.4.1-7.el7 | 0:4.4.1-7.el7 |
| redhat/rh-python38-python-pip | <0:19.3.1-2.el7 | 0:19.3.1-2.el7 |
| redhat/rh-python38-python-urllib3 | <0:1.25.7-7.el7 | 0:1.25.7-7.el7 |
| pip/urllib3 | >=1.25.4<1.26.5 | 1.26.5 |
| redhat/urllib3 | <1.26.5 | 1.26.5 |
| Python urllib3 | >=1.25.4<1.26.5 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Oracle Enterprise Manager Ops Center | =12.4.0.0 | |
| Oracle Instantis Enterprisetrack | =17.1 | |
| Oracle Instantis Enterprisetrack | =17.2 | |
| Oracle Instantis Enterprisetrack | =17.3 | |
| Oracle ZFS Storage Appliance Kit | =8.8 | |
| >=1.25.4<1.26.5 | ||
| =33 | ||
| =34 | ||
| =12.4.0.0 | ||
| =17.1 | ||
| =17.2 | ||
| =17.3 | ||
| =8.8 |
Remedy
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/urllib3/urllib3/security/advisories/GHSA-q2q7-5pp4-w6pg
- https://nvd.nist.gov/vuln/detail/CVE-2021-33503
- https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec
- https://github.com/advisories/GHSA-q2q7-5pp4-w6pg (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/
- https://security.gentoo.org/glsa/202107-36
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/urllib3/urllib3/commit/5b047b645f5f93900d5e2fc31230848c25eb1f5f#diff-52026d639119bf1e0364836b4e8a18bd9ed3c95c6ba39b26534a5057a65e35bbR65
- https://exchange.xforce.ibmcloud.com/vulnerabilities/203109
- https://www.ibm.com/support/pages/node/7096365 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1968077
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1968076
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1968075
- https://access.redhat.com/errata/RHSA-2021:3254
- https://access.redhat.com/errata/RHSA-2021:3473
- https://access.redhat.com/security/cve/cve-2021-33503
- https://access.redhat.com/errata/RHSA-2021:4160
- https://access.redhat.com/errata/RHSA-2021:4162
- https://access.redhat.com/errata/RHSA-2021:4702
- https://bugzilla.redhat.com/show_bug.cgi?id=1968074
- https://www.cve.org/CVERecord?id=CVE-2021-33503 https://nvd.nist.gov/vuln/detail/CVE-2021-33503 https://github.com/advisories/GHSA-q2q7-5pp4-w6pg
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-33503?
CVE-2021-33503 is a vulnerability in urllib3 before version 1.26.5 that allows for denial of service attacks through a regex backtracking issue.
What is the impact of CVE-2021-33503?
CVE-2021-33503 can cause a denial of service if a URL with many '@' characters in the authority component is passed as a parameter or redirected to via an HTTP redirect.
How severe is CVE-2021-33503?
CVE-2021-33503 has a severity rating of 7.5 (High).
How do I fix CVE-2021-33503?
To fix CVE-2021-33503, update urllib3 to version 1.26.5 or apply the patches provided by the respective vendors.
Where can I find more information about CVE-2021-33503?
You can find more information about CVE-2021-33503 at the following references: [GitHub Advisory](https://github.com/advisories/GHSA-q2q7-5pp4-w6pg), [urllib3 Commit](https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec), [Fedora Security Announcement](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/)
- collector/github-advisory-latest
- alias/GHSA-q2q7-5pp4-w6pg
- alias/CVE-2021-33503
- collector/redhat-cve
- collector/nvd-api
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/ibm-support
- source/IBM
- agent/softwarecombine
- collector/github-advisory
- source/GitHub
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/references
- agent/severity
- agent/author
- agent/weakness
- agent/remedy
- agent/tags
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- package-manager/pip
- package-manager/redhat
- vendor/python
- canonical/python urllib3
- version/python urllib3/1.25.4
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/oracle
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.4.0.0
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.2
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8