First published: Tue Jun 01 2021(Updated: )
### Impact When provided with a URL containing many `@` characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. ### Patches The issue has been fixed in urllib3 v1.26.5. ### References - [CVE-2021-33503](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33503) - [JVNVU#92413403 (English)](https://jvn.jp/en/vu/JVNVU92413403/) - [JVNVU#92413403 (Japanese)](https://jvn.jp/vu/JVNVU92413403/) - [urllib3 v1.26.5](https://github.com/urllib3/urllib3/releases/tag/1.26.5) ### For more information If you have any questions or comments about this advisory: * Ask in our [community Discord](https://discord.gg/urllib3) * Email [sethmichaellarson@gmail.com](mailto:sethmichaellarson@gmail.com)
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/automation-hub | <0:4.2.6-1.el7 | 0:4.2.6-1.el7 |
redhat/python3-chardet | <0:3.0.4-3.el7 | 0:3.0.4-3.el7 |
redhat/python3-click | <0:7.1.2-3.el7 | 0:7.1.2-3.el7 |
redhat/python3-gnupg | <0:0.4.6-3.el7 | 0:0.4.6-3.el7 |
redhat/python3-jinja2 | <0:2.11.2-3.el7 | 0:2.11.2-3.el7 |
redhat/python3-markupsafe | <0:1.1.1-4.el7 | 0:1.1.1-4.el7 |
redhat/python3-semantic-version | <0:2.8.5-3.el7 | 0:2.8.5-3.el7 |
redhat/python-galaxy-ng | <0:4.2.6-1.el7 | 0:4.2.6-1.el7 |
redhat/python-requests | <0:2.25.1-1.el7 | 0:2.25.1-1.el7 |
redhat/python-urllib3 | <0:1.26.5-1.el7 | 0:1.26.5-1.el7 |
redhat/automation-hub | <0:4.2.6-1.el8 | 0:4.2.6-1.el8 |
redhat/python3-click | <0:7.1.2-3.el8 | 0:7.1.2-3.el8 |
redhat/python3-gnupg | <0:0.4.6-3.el8 | 0:0.4.6-3.el8 |
redhat/python3-jinja2 | <0:2.11.2-3.el8 | 0:2.11.2-3.el8 |
redhat/python3-markupsafe | <0:1.1.1-4.el8 | 0:1.1.1-4.el8 |
redhat/python3-semantic-version | <0:2.8.5-3.el8 | 0:2.8.5-3.el8 |
redhat/python-galaxy-ng | <0:4.2.6-1.el8 | 0:4.2.6-1.el8 |
redhat/python-requests | <0:2.25.1-1.el8 | 0:2.25.1-1.el8 |
redhat/python-urllib3 | <0:1.26.5-1.el8 | 0:1.26.5-1.el8 |
redhat/rh-python38-babel | <0:2.7.0-12.el7 | 0:2.7.0-12.el7 |
redhat/rh-python38-python | <0:3.8.11-2.el7 | 0:3.8.11-2.el7 |
redhat/rh-python38-python-cryptography | <0:2.8-5.el7 | 0:2.8-5.el7 |
redhat/rh-python38-python-jinja2 | <0:2.10.3-6.el7 | 0:2.10.3-6.el7 |
redhat/rh-python38-python-lxml | <0:4.4.1-7.el7 | 0:4.4.1-7.el7 |
redhat/rh-python38-python-pip | <0:19.3.1-2.el7 | 0:19.3.1-2.el7 |
redhat/rh-python38-python-urllib3 | <0:1.25.7-7.el7 | 0:1.25.7-7.el7 |
pip/urllib3 | >=1.25.4<1.26.5 | 1.26.5 |
redhat/urllib3 | <1.26.5 | 1.26.5 |
Python urllib3 | >=1.25.4<1.26.5 | |
Fedoraproject Fedora | =33 | |
Fedoraproject Fedora | =34 | |
Oracle Enterprise Manager Ops Center | =12.4.0.0 | |
Oracle Instantis Enterprisetrack | =17.1 | |
Oracle Instantis Enterprisetrack | =17.2 | |
Oracle Instantis Enterprisetrack | =17.3 | |
Oracle ZFS Storage Appliance Kit | =8.8 | |
>=1.25.4<1.26.5 | ||
=33 | ||
=34 | ||
=12.4.0.0 | ||
=17.1 | ||
=17.2 | ||
=17.3 | ||
=8.8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2021-33503 is a vulnerability in urllib3 before version 1.26.5 that allows for denial of service attacks through a regex backtracking issue.
CVE-2021-33503 can cause a denial of service if a URL with many '@' characters in the authority component is passed as a parameter or redirected to via an HTTP redirect.
CVE-2021-33503 has a severity rating of 7.5 (High).
To fix CVE-2021-33503, update urllib3 to version 1.26.5 or apply the patches provided by the respective vendors.
You can find more information about CVE-2021-33503 at the following references: [GitHub Advisory](https://github.com/advisories/GHSA-q2q7-5pp4-w6pg), [urllib3 Commit](https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec), [Fedora Security Announcement](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/)