CVE-2021-3733

There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
VendorProductVersion
pythonpython
𝑥
< 3.6.14
pythonpython
3.7.0 ≤
𝑥
< 3.7.11
pythonpython
3.8.0 ≤
𝑥
< 3.8.10
pythonpython
3.9.0 ≤
𝑥
< 3.9.5
pythonpython
3.10.0
redhatcodeready_linux_builder
8.0
redhatcodeready_linux_builder_for_ibm_z_systems
8.0
redhatcodeready_linux_builder_for_power_little_endian
8.0
redhatenterprise_linux
8.0
redhatenterprise_linux_eus
8.4
redhatenterprise_linux_for_ibm_z_systems
8.0
redhatenterprise_linux_for_ibm_z_systems_eus
8.4
redhatenterprise_linux_for_power_little_endian
8.0
redhatenterprise_linux_for_power_little_endian_eus
8.4
redhatenterprise_linux_server_aus
8.4
redhatenterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions
8.4
redhatenterprise_linux_server_tus
8.4
redhatenterprise_linux_server_update_services_for_sap_solutions
8.4
fedoraprojectextra_packages_for_enterprise_linux
7.0
netappmanagement_services_for_element_software_and_netapp_hci
-
netappontap_select_deploy_administration_utility
-
netappsolidfire\,_enterprise_sds_\&_hci_storage_node
-
netapphci_compute_node_firmware
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pypy3
bullseye (security)
vulnerable
bullseye
no-dsa
buster
no-dsa
bookworm
7.3.11+dfsg-2+deb12u2
fixed
sid
7.3.17+dfsg-2
fixed
trixie
7.3.17+dfsg-2
fixed
python2.7
bullseye
vulnerable
buster
no-dsa
python3.9
bullseye
vulnerable
buster
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python3.10
noble
dne
mantic
dne
lunar
dne
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
Fixed 3.10.0~b1-3~21.04
released
focal
dne
bionic
dne
xenial
ignored
trusty
dne
python3.4
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
focal
dne
bionic
dne
xenial
dne
trusty
Fixed 3.4.3-1ubuntu1~14.04.7+esm11
released
python3.5
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
focal
dne
bionic
dne
xenial
Fixed 3.5.2-2ubuntu0~16.04.13+esm1
released
trusty
Fixed 3.5.2-2ubuntu0~16.04.4~14.04.1+esm1
released
python3.6
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
focal
dne
bionic
Fixed 3.6.9-1~18.04ubuntu1.6
released
xenial
ignored
trusty
dne
python3.7
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
focal
dne
bionic
Fixed 3.7.5-2ubuntu1~18.04.2
released
xenial
ignored
trusty
dne
python3.8
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
focal
Fixed 3.8.10-0ubuntu1~20.04
released
bionic
Fixed 3.8.0-3ubuntu1~18.04.2
released
xenial
ignored
trusty
dne
python3.9
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
not-affected
hirsute
not-affected
focal
Fixed 3.9.5-3~20.04.1
released
bionic
dne
xenial
ignored
trusty
dne
Common Weakness Enumeration
References
https://bugs.python.org/issue43075
https://bugzilla.redhat.com/show_bug.cgi?id=1995234
https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb
https://github.com/python/cpython/pull/24391
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
https://security.netapp.com/advisory/ntap-20220407-0001/
https://ubuntu.com/security/CVE-2021-3733
https://bugs.python.org/issue43075
https://bugzilla.redhat.com/show_bug.cgi?id=1995234
https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb
https://github.com/python/cpython/pull/24391
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
https://security.netapp.com/advisory/ntap-20220407-0001/
https://ubuntu.com/security/CVE-2021-3733