6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
65.8%
There’s a flaw in urllib’s AbstractBasicAuthHandler class. An attacker who
controls a malicious HTTP server that an HTTP client (such as web browser)
connects to, could trigger a Regular Expression Denial of Service (ReDOS)
during an authentication request with a specially crafted payload that is
sent by the server to the client. The greatest threat that this flaw poses
is to application availability.
Author | Note |
---|---|
leosilva | code affected in hirsute and devel is already patched, so both releases in python3.9 are not affected. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 21.04 | noarch | python3.10 | < 3.10.0~b1-3~21.04 | UNKNOWN |
ubuntu | 14.04 | noarch | python3.4 | < 3.4.3-1ubuntu1~14.04.7+esm11) Available with Ubuntu Pro or Ubuntu Pro (Infra-only | UNKNOWN |
ubuntu | 14.04 | noarch | python3.5 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | python3.5 | < 3.5.2-2ubuntu0~16.04.13+esm1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only | UNKNOWN |
ubuntu | 18.04 | noarch | python3.6 | < 3.6.9-1~18.04ubuntu1.6 | UNKNOWN |
ubuntu | 18.04 | noarch | python3.7 | < 3.7.5-2ubuntu1~18.04.2 | UNKNOWN |
ubuntu | 18.04 | noarch | python3.8 | < 3.8.0-3ubuntu1~18.04.2 | UNKNOWN |
ubuntu | 20.04 | noarch | python3.8 | < 3.8.10-0ubuntu1~20.04 | UNKNOWN |
ubuntu | 20.04 | noarch | python3.9 | < 3.9.5-3~20.04.1 | UNKNOWN |
bugs.python.org/issue43075
github.com/python/cpython/commit/3fbe96123aeb66664fa547a8f6022efa2dc8788f (3.6.14)
github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb1defe1 (master)
github.com/python/cpython/commit/a21d4fbd549ec9685068a113660553d7f80d9b09 (3.9.5)
github.com/python/cpython/commit/ada14995870abddc277addf57dd690a2af04c2da (3.7.11)
github.com/python/cpython/commit/e7654b6046090914a8323931ed759a94a5f85d60 (3.8.10)
github.com/python/cpython/pull/24391
launchpad.net/bugs/cve/CVE-2021-3733
nvd.nist.gov/vuln/detail/CVE-2021-3733
security-tracker.debian.org/tracker/CVE-2021-3733
ubuntu.com/security/notices/USN-5083-1
ubuntu.com/security/notices/USN-5199-1
ubuntu.com/security/notices/USN-5200-1
www.cve.org/CVERecord?id=CVE-2021-3733
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
65.8%