CVE-2021-3733: ReDoS in urllib.request¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
The regular expression used by the AbstractBasicAuthHandler class of the urllib module is inefficient and can be abused by an attacker with a maliciuous HTTP server to cause a denial of service.
Dates:
- Disclosure date: 2021-01-30 (Python issue bpo-43075 reported)
Fixed In¶
- Python 3.6.14 (2021-06-28) fixed by commit 3fbe961 (branch 3.6) (2021-05-06)
- Python 3.7.11 (2021-06-28) fixed by commit ada1499 (branch 3.7) (2021-05-04)
- Python 3.8.10 (2021-05-03) fixed by commit e7654b6 (branch 3.8) (2021-04-07)
- Python 3.9.5 (2021-05-03) fixed by commit a21d4fb (branch 3.9) (2021-04-07)
- Python 3.10.0 (2021-10-04) fixed by commit 7215d1a (branch 3.10) (2021-04-07)
Python issue¶
CVE-2021-3733: ReDoS in urllib.request.
- Python issue: bpo-43075
- Creation date: 2021-01-30
- Reporter: yeting li
CVE-2021-3733¶
There’s a flaw in urllib’s AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
- CVE ID: CVE-2021-3733
- Published: 2022-03-10
- CVSS Score: 4.0
Timeline¶
Timeline using the disclosure date 2021-01-30 as reference:
- 2021-01-30: Python issue bpo-43075 reported by yeting li
- 2021-04-07 (+67 days): commit 7215d1a (branch 3.10)
- 2021-04-07 (+67 days): commit a21d4fb (branch 3.9)
- 2021-04-07 (+67 days): commit e7654b6 (branch 3.8)
- 2021-05-03 (+93 days): Python 3.8.10 released
- 2021-05-03 (+93 days): Python 3.9.5 released
- 2021-05-04 (+94 days): commit ada1499 (branch 3.7)
- 2021-05-06 (+96 days): commit 3fbe961 (branch 3.6)
- 2021-06-28 (+149 days): Python 3.6.14 released
- 2021-06-28 (+149 days): Python 3.7.11 released
- 2021-10-04: Python 3.10.0 released
- 2022-03-10 (+404 days): CVE-2021-3733 published