Vulnerability Details CVE-2021-33503
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.009
EPSS Ranking 73.9%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://github.com/advisories/GHSA-q2q7-5pp4-w6pg
- https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/
- https://security.gentoo.org/glsa/202107-36
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/advisories/GHSA-q2q7-5pp4-w6pg
- https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/
- https://security.gentoo.org/glsa/202107-36
- https://www.oracle.com/security-alerts/cpuoct2021.html
Products affected by CVE-2021-33503
-
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0
-
cpe:2.3:a:oracle:instantis_enterprisetrack:17.1
-
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2
-
cpe:2.3:a:oracle:instantis_enterprisetrack:17.3
-
cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8
-
cpe:2.3:a:python:urllib3:1.25.10
-
cpe:2.3:a:python:urllib3:1.25.11
-
cpe:2.3:a:python:urllib3:1.25.4
-
cpe:2.3:a:python:urllib3:1.25.5
-
cpe:2.3:a:python:urllib3:1.25.6
-
cpe:2.3:a:python:urllib3:1.25.7
-
cpe:2.3:a:python:urllib3:1.25.8
-
cpe:2.3:a:python:urllib3:1.25.9
-
cpe:2.3:a:python:urllib3:1.26.0
-
cpe:2.3:a:python:urllib3:1.26.1
-
cpe:2.3:a:python:urllib3:1.26.2
-
cpe:2.3:a:python:urllib3:1.26.3
-
cpe:2.3:a:python:urllib3:1.26.4
-
cpe:2.3:o:fedoraproject:fedora:33
-
cpe:2.3:o:fedoraproject:fedora:34