{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-10-20T10:42:23", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "FEDORA-2021-a6bde7ab18", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/"}, {"name": "FEDORA-2021-9c5f3b8aae", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/"}, {"name": "GLSA-202107-36", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202107-36"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/advisories/GHSA-q2q7-5pp4-w6pg"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-33503", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "FEDORA-2021-a6bde7ab18", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/"}, {"name": "FEDORA-2021-9c5f3b8aae", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/"}, {"name": "GLSA-202107-36", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202107-36"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"name": "https://github.com/advisories/GHSA-q2q7-5pp4-w6pg", "refsource": "CONFIRM", "url": "https://github.com/advisories/GHSA-q2q7-5pp4-w6pg"}, {"name": "https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec", "refsource": "CONFIRM", "url": "https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:50:42.973Z"}, "title": "CVE Program Container", "references": [{"name": "FEDORA-2021-a6bde7ab18", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/"}, {"name": "FEDORA-2021-9c5f3b8aae", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/"}, {"name": "GLSA-202107-36", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202107-36"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/advisories/GHSA-q2q7-5pp4-w6pg"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-33503", "datePublished": "2021-06-29T10:55:35", "dateReserved": "2021-05-21T00:00:00", "dateUpdated": "2024-08-03T23:50:42.973Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*", "matchCriteriaId": "39285E88-6838-4253-AD93-2717B1A8D1BC", "versionEndExcluding": "1.26.5", "versionStartIncluding": "1.25.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B095CC03-7077-4A58-AB25-CC5380CDCE5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*", "matchCriteriaId": "82EA4BA7-C38B-4AF3-8914-9E3D089EBDD4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*", "matchCriteriaId": "B9C9BC66-FA5F-4774-9BDA-7AB88E2839C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*", "matchCriteriaId": "7F69B9A5-F21B-4904-9F27-95C0F7A628E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", "matchCriteriaId": "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect."}, {"lang": "es", "value": "Se ha detectado un problema en urllib3 versiones anteriores a 1.26.5. Cuando se proporciona una URL que contiene muchos caracteres @ en el componente authority, la expresi\u00f3n regular de autoridad muestra un retroceso catastr\u00f3fico, causando una denegaci\u00f3n de servicio si fue pasado una URL como par\u00e1metro o es redirigido a ella por medio de un redireccionamiento HTTP"}], "id": "CVE-2021-33503", "lastModified": "2024-11-21T06:08:58.030", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-29T11:15:07.847", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-q2q7-5pp4-w6pg"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202107-36"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-q2q7-5pp4-w6pg"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202107-36"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:3473", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "automation-hub-0:4.2.6-1.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3473", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python3-chardet-0:3.0.4-3.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3473", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python3-click-0:7.1.2-3.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3473", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python3-gnupg-0:0.4.6-3.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3473", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python3-jinja2-0:2.11.2-3.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3473", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python3-markupsafe-0:1.1.1-4.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3473", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python3-semantic-version-0:2.8.5-3.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3473", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python-galaxy-ng-0:4.2.6-1.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3473", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python-urllib3-0:1.26.5-1.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3473", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "automation-hub-0:4.2.6-1.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3473", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python3-click-0:7.1.2-3.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3473", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python3-gnupg-0:0.4.6-3.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3473", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python3-jinja2-0:2.11.2-3.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3473", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python3-markupsafe-0:1.1.1-4.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3473", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python3-semantic-version-0:2.8.5-3.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3473", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python-galaxy-ng-0:4.2.6-1.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3473", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python-urllib3-0:1.26.5-1.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:4160", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python39:3.9-8050020210811100211.d428a79b", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4160", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python39-devel:3.9-8050020210811100211.d428a79b", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4162", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python38:3.8-8050020210811101222.e3d35cca", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4162", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python38-devel:3.8-8050020210811101222.e3d35cca", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4702", "cpe": "cpe:/a:redhat:satellite:6.10::el7", "package": "python-urllib3-0:1.26.5-1.el7pc", "product_name": "Red Hat Satellite 6.10 for RHEL 7", "release_date": "2021-11-16T00:00:00Z"}, {"advisory": "RHSA-2021:4702", "cpe": "cpe:/a:redhat:satellite_capsule:6.10::el7", "package": "python-urllib3-0:1.26.5-1.el7pc", "product_name": "Red Hat Satellite 6.10 for RHEL 7", "release_date": "2021-11-16T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-babel-0:2.7.0-12.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-0:3.8.11-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-cryptography-0:2.8-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-jinja2-0:2.10.3-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-lxml-0:4.4.1-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-pip-0:19.3.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-urllib3-0:1.25.7-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-babel-0:2.7.0-12.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-0:3.8.11-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-cryptography-0:2.8-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-jinja2-0:2.10.3-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-lxml-0:4.4.1-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-pip-0:19.3.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-urllib3-0:1.25.7-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}], "bugzilla": {"description": "python-urllib3: ReDoS in the parsing of authority part of URL", "id": "1968074", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1968074"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-835", "details": ["An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.", "A flaw was found in python-urllib3. When provided with a URL containing many @ characters in the authority component, the authority's regular expression exhibits catastrophic backtracking. This flaw causes a denial of service if a URL is passed as a parameter or redirected via an HTTP redirect. The highest threat from this vulnerability is to system availability."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2021-33503", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "impact": "low", "package_name": "system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python27:2.7/python2-pip", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python27:2.7/python-urllib3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python-pip", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Out of support scope", "package_name": "python-urllib3", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "python-urllib3", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat Storage 3"}], "public_date": "2021-06-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-33503\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-33503\nhttps://github.com/advisories/GHSA-q2q7-5pp4-w6pg"], "statement": "* Red Hat OpenShift Container Platform (OCP) 4 delivers the python-urllib3 package which includes a vulnerable version of urllib3 module, however from OCP 4.6 the python-urllib3 package is no longer shipped. OCP 4.5 is out of support scope for Moderate and Low impact vulnerabilities, hence is marked Out Of Support Scope.\nThe python-urllib3 package used in OCP 3.11 is not affected by this flaw.\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nThe platform enforces hardening guidelines to ensure the most restrictive setting needed for operational requirements. Event logs are collected and processed for centralization, correlation, analysis, monitoring, reporting, alerting, and retention. This process ensures that audit logs are generated for specific events involving sensitive information, enabling capabilities like excessive CPU usage, long execution times, or processes consuming abnormal amounts of memory. Static code analysis and peer code review techniques are used to execute robust input validation and error-handling mechanisms to ensure all user inputs are thoroughly validated, preventing infinite loops caused by malformed or unexpected input, such as unbounded user input or unexpected null values that cause loops to never terminate. In the event of successful exploitation, process isolation limits the effect of an infinite loop to a single process rather than allowing it to consume all system resources.", "threat_severity": "Moderate"}