Lucene search

K
amazonAmazonALAS2-2021-1688
HistoryJul 14, 2021 - 8:40 p.m.

Medium: python-urllib3

2021-07-1420:40:00
alas.aws.amazon.com
29
python-urllib3
denial of service
catastrophic backtracking
authority component
system availability
amazon linux 2
update
cve-2021-33503

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.6

Confidence

High

EPSS

0.003

Percentile

69.2%

Issue Overview:

A flaw was found in python-urllib3. When provided with a URL containing many @ characters in the authority component, the authority’s regular expression exhibits catastrophic backtracking. This flaw causes a denial of service if a URL is passed as a parameter or redirected via an HTTP redirect. The highest threat from this vulnerability is to system availability. (CVE-2021-33503)

Affected Packages:

python-urllib3

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update python-urllib3 to update your system.

New Packages:

noarch:  
    python-urllib3-1.25.9-1.amzn2.0.2.noarch  
  
src:  
    python-urllib3-1.25.9-1.amzn2.0.2.src  

Additional References

Red Hat: CVE-2021-33503

Mitre: CVE-2021-33503

OSVersionArchitecturePackageVersionFilename
Amazon Linux2noarchpython-urllib3< 1.25.9-1.amzn2.0.2python-urllib3-1.25.9-1.amzn2.0.2.noarch.rpm

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.6

Confidence

High

EPSS

0.003

Percentile

69.2%