CVE-2021-33503
First published: Tue Jun 01 2021(Updated: )
### Impact When provided with a URL containing many `@` characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. ### Patches The issue has been fixed in urllib3 v1.26.5. ### References - [CVE-2021-33503](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33503) - [JVNVU#92413403 (English)](https://jvn.jp/en/vu/JVNVU92413403/) - [JVNVU#92413403 (Japanese)](https://jvn.jp/vu/JVNVU92413403/) - [urllib3 v1.26.5](https://github.com/urllib3/urllib3/releases/tag/1.26.5) ### For more information If you have any questions or comments about this advisory: * Ask in our [community Discord](https://discord.gg/urllib3) * Email [sethmichaellarson@gmail.com](mailto:sethmichaellarson@gmail.com)
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/automation-hub | <0:4.2.6-1.el7 | 0:4.2.6-1.el7 |
| redhat/python3-chardet | <0:3.0.4-3.el7 | 0:3.0.4-3.el7 |
| redhat/python3-click | <0:7.1.2-3.el7 | 0:7.1.2-3.el7 |
| redhat/python3-gnupg | <0:0.4.6-3.el7 | 0:0.4.6-3.el7 |
| redhat/python3-jinja2 | <0:2.11.2-3.el7 | 0:2.11.2-3.el7 |
| redhat/python3-markupsafe | <0:1.1.1-4.el7 | 0:1.1.1-4.el7 |
| redhat/python3-semantic-version | <0:2.8.5-3.el7 | 0:2.8.5-3.el7 |
| redhat/python-galaxy-ng | <0:4.2.6-1.el7 | 0:4.2.6-1.el7 |
| redhat/python-requests | <0:2.25.1-1.el7 | 0:2.25.1-1.el7 |
| redhat/python-urllib3 | <0:1.26.5-1.el7 | 0:1.26.5-1.el7 |
| redhat/automation-hub | <0:4.2.6-1.el8 | 0:4.2.6-1.el8 |
| redhat/python3-click | <0:7.1.2-3.el8 | 0:7.1.2-3.el8 |
| redhat/python3-gnupg | <0:0.4.6-3.el8 | 0:0.4.6-3.el8 |
| redhat/python3-jinja2 | <0:2.11.2-3.el8 | 0:2.11.2-3.el8 |
| redhat/python3-markupsafe | <0:1.1.1-4.el8 | 0:1.1.1-4.el8 |
| redhat/python3-semantic-version | <0:2.8.5-3.el8 | 0:2.8.5-3.el8 |
| redhat/python-galaxy-ng | <0:4.2.6-1.el8 | 0:4.2.6-1.el8 |
| redhat/python-requests | <0:2.25.1-1.el8 | 0:2.25.1-1.el8 |
| redhat/python-urllib3 | <0:1.26.5-1.el8 | 0:1.26.5-1.el8 |
| redhat/rh-python38-babel | <0:2.7.0-12.el7 | 0:2.7.0-12.el7 |
| redhat/rh-python38-python | <0:3.8.11-2.el7 | 0:3.8.11-2.el7 |
| redhat/rh-python38-python-cryptography | <0:2.8-5.el7 | 0:2.8-5.el7 |
| redhat/rh-python38-python-jinja2 | <0:2.10.3-6.el7 | 0:2.10.3-6.el7 |
| redhat/rh-python38-python-lxml | <0:4.4.1-7.el7 | 0:4.4.1-7.el7 |
| redhat/rh-python38-python-pip | <0:19.3.1-2.el7 | 0:19.3.1-2.el7 |
| redhat/rh-python38-python-urllib3 | <0:1.25.7-7.el7 | 0:1.25.7-7.el7 |
| pip/urllib3 | >=1.25.4<1.26.5 | 1.26.5 |
| redhat/urllib3 | <1.26.5 | 1.26.5 |
| Python urllib3 | >=1.25.4<1.26.5 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Oracle Enterprise Manager Ops Center | =12.4.0.0 | |
| Oracle Instantis Enterprisetrack | =17.1 | |
| Oracle Instantis Enterprisetrack | =17.2 | |
| Oracle Instantis Enterprisetrack | =17.3 | |
| Oracle ZFS Storage Appliance Kit | =8.8 | |
| >=1.25.4<1.26.5 | ||
| =33 | ||
| =34 | ||
| =12.4.0.0 | ||
| =17.1 | ||
| =17.2 | ||
| =17.3 | ||
| =8.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/urllib3/urllib3/security/advisories/GHSA-q2q7-5pp4-w6pg
- https://nvd.nist.gov/vuln/detail/CVE-2021-33503
- https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec
- https://github.com/advisories/GHSA-q2q7-5pp4-w6pg (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/
- https://security.gentoo.org/glsa/202107-36
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/urllib3/urllib3/commit/5b047b645f5f93900d5e2fc31230848c25eb1f5f#diff-52026d639119bf1e0364836b4e8a18bd9ed3c95c6ba39b26534a5057a65e35bbR65
- https://exchange.xforce.ibmcloud.com/vulnerabilities/203109
- https://www.ibm.com/support/pages/node/7096365 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1968077
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1968076
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1968075
- https://access.redhat.com/errata/RHSA-2021:3254
- https://access.redhat.com/errata/RHSA-2021:3473
- https://access.redhat.com/security/cve/cve-2021-33503
- https://access.redhat.com/errata/RHSA-2021:4160
- https://access.redhat.com/errata/RHSA-2021:4162
- https://access.redhat.com/errata/RHSA-2021:4702
- https://bugzilla.redhat.com/show_bug.cgi?id=1968074
- https://www.cve.org/CVERecord?id=CVE-2021-33503 https://nvd.nist.gov/vuln/detail/CVE-2021-33503 https://github.com/advisories/GHSA-q2q7-5pp4-w6pg
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-33503?
CVE-2021-33503 is a vulnerability in urllib3 before version 1.26.5 that allows for denial of service attacks through a regex backtracking issue.
What is the impact of CVE-2021-33503?
CVE-2021-33503 can cause a denial of service if a URL with many '@' characters in the authority component is passed as a parameter or redirected to via an HTTP redirect.
How severe is CVE-2021-33503?
CVE-2021-33503 has a severity rating of 7.5 (High).
How do I fix CVE-2021-33503?
To fix CVE-2021-33503, update urllib3 to version 1.26.5 or apply the patches provided by the respective vendors.
Where can I find more information about CVE-2021-33503?
You can find more information about CVE-2021-33503 at the following references: [GitHub Advisory](https://github.com/advisories/GHSA-q2q7-5pp4-w6pg), [urllib3 Commit](https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec), [Fedora Security Announcement](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/)
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/github-advisory
- source/GitHub
- alias/GHSA-q2q7-5pp4-w6pg
- alias/CVE-2021-33503
- agent/software-canonical-lookup
- collector/github-advisory-latest
- collector/ibm-support
- source/IBM
- collector/nvd-api
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- collector/redhat-cve
- package-manager/pip
- vendor/python
- canonical/python urllib3
- version/python urllib3/1.25.4
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/oracle
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.4.0.0
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.2
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8
- package-manager/redhat