CVE-2021-33503

Published: Jun 29, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Affected (8)

Products: Python: Urllib3 · Fedoraproject: Fedora · Oracle: Enterprise Manager Ops Center, Instantis Enterprisetrack, Zfs Storage Appliance Kit

1 product

1 product

3 products

Enterprise Manager Ops Center

Instantis Enterprisetrack

Zfs Storage Appliance Kit

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Python Urllib3	From 1.25.4 to 1.26.5

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34

Configuration C

5 vulnerable

Vulnerable Software	Affected Versions
Oracle Enterprise Manager Ops Center	Version 12.4.0.0
Oracle Instantis Enterprisetrack	Version 17.1
Oracle Instantis Enterprisetrack	Version 17.2
Oracle Instantis Enterprisetrack	Version 17.3
Oracle Zfs Storage Appliance Kit	Version 8.8

Related CWEs

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (12)

https://github.com/advisories/GHSA-q2q7-5pp4-w6pg

Source: cve@mitre.org

Third Party Advisory

https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec

Source: cve@mitre.org

PatchThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/

Source: cve@mitre.org

https://security.gentoo.org/glsa/202107-36

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/advisories/GHSA-q2q7-5pp4-w6pg

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/202107-36

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.