Vulnerability CVE-2021-3733: Information

Description

There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-3733
Published: March 10, 2022
Modified: July 1, 2023
Error type identifier: CWE-400

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
pythonsisyphus2.7.18-alt82.7.18-alt11ALT-PU-2021-3010-1286676Fixed
pythonsisyphus_e2k2.7.18-alt82.7.18-alt11ALT-PU-2022-3615-1-Fixed
pythonp102.7.18-alt102.7.18-alt10ALT-PU-2022-3044-1309289Fixed
pythonp10_e2k2.7.18-alt102.7.18-alt10ALT-PU-2022-7062-1-Fixed
pythonc10f12.7.18-alt102.7.18-alt10ALT-PU-2022-3044-1309289Fixed
python3sisyphus3.9.5-alt13.12.2-alt1ALT-PU-2021-1784-1271461Fixed
python3sisyphus_riscv643.10.2-alt1.13.12.2-alt1ALT-PU-2022-3966-1-Fixed
python3p103.9.5-alt13.9.18-alt1ALT-PU-2021-1784-1271461Fixed
python3p93.7.11-alt13.7.17-alt1ALT-PU-2021-2653-1273501Fixed
python3c10f13.9.5-alt13.9.18-alt0.c10f1.1ALT-PU-2021-1784-1271461Fixed
python3c9f23.7.17-alt13.7.17-alt1ALT-PU-2024-3474-2342077Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb
  • Patch
  • Third Party Advisory
https://ubuntu.com/security/CVE-2021-3733
  • Patch
  • Third Party Advisory
https://bugs.python.org/issue43075
  • Exploit
  • Issue Tracking
  • Patch
  • Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1995234
  • Issue Tracking
  • Third Party Advisory
https://github.com/python/cpython/pull/24391
  • Patch
  • Third Party Advisory
https://security.netapp.com/advisory/ntap-20220407-0001/
  • Third Party Advisory
[debian-lts-announce] 20230524 [SECURITY] [DLA 3432-1] python2.7 security update
    [debian-lts-announce] 20230630 [SECURITY] [DLA 3477-1] python3.7 security update

        1. Configuration 1

          cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
          Start including
          3.9.0
          End excliding
          3.9.5
          cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
          Start including
          3.7.0
          End excliding
          3.7.11
          cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
          End excliding
          3.6.14
          cpe:2.3:a:python:python:3.10.0:-:*:*:*:*:*:*
          cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
          Start including
          3.8.0
          End excliding
          3.8.10

          Configuration 2

          cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.4:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.4:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*
          cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
          cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian:8.0:*:*:*:*:*:*:*
          cpe:2.3:a:redhat:codeready_linux_builder:8.0:*:*:*:*:*:*:*

          Configuration 3

          cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
          cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
          cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
          cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
          cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:7.0:*:*:*:*:*:*:*

          Configuration 4

          cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
          cpe:2.3:o:netapp:hci_compute_node_firmware:-:*:*:*:*:*:*:*
          cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*
          cpe:2.3:a:netapp:solidfire\,_enterprise_sds_\&_hci_storage_node:-:*:*:*:*:*:*:*
      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
      Version: v24.5.0
      Back to top