Vulnerability Description
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python | Python | < 3.6.14 |
| Redhat | Codeready Linux Builder | 8.0 |
| Redhat | Codeready Linux Builder For Ibm Z Systems | 8.0 |
| Redhat | Codeready Linux Builder For Power Little Endian | 8.0 |
| Redhat | Enterprise Linux | 8.0 |
| Redhat | Enterprise Linux Eus | 8.4 |
| Redhat | Enterprise Linux For Ibm Z Systems | 8.0 |
| Redhat | Enterprise Linux For Ibm Z Systems Eus | 8.4 |
| Redhat | Enterprise Linux For Power Little Endian | 8.0 |
| Redhat | Enterprise Linux For Power Little Endian Eus | 8.4 |
| Redhat | Enterprise Linux Server Aus | 8.4 |
| Redhat | Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions | 8.4 |
| Redhat | Enterprise Linux Server Tus | 8.4 |
| Redhat | Enterprise Linux Server Update Services For Sap Solutions | 8.4 |
| Fedoraproject | Extra Packages For Enterprise Linux | 7.0 |
| Fedoraproject | Fedora | 33 |
| Netapp | Management Services For Element Software And Netapp Hci | - |
| Netapp | Ontap Select Deploy Administration Utility | - |
| Netapp | Solidfire\, Enterprise Sds \& Hci Storage Node | - |
| Netapp | Hci Compute Node Firmware | - |
Related Weaknesses (CWE)
References
- https://bugs.python.org/issue43075ExploitIssue TrackingPatch
- https://bugzilla.redhat.com/show_bug.cgi?id=1995234Issue TrackingThird Party Advisory
- https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fbPatchThird Party Advisory
- https://github.com/python/cpython/pull/24391PatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
- https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
- https://security.netapp.com/advisory/ntap-20220407-0001/Third Party Advisory
- https://ubuntu.com/security/CVE-2021-3733PatchThird Party Advisory
- https://bugs.python.org/issue43075ExploitIssue TrackingPatch
- https://bugzilla.redhat.com/show_bug.cgi?id=1995234Issue TrackingThird Party Advisory
- https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fbPatchThird Party Advisory
- https://github.com/python/cpython/pull/24391PatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
- https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
- https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
FAQ
What is CVE-2021-3733?
CVE-2021-3733 is a vulnerability with a CVSS score of 6.5 (MEDIUM). There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression De...
How severe is CVE-2021-3733?
CVE-2021-3733 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-3733?
Check the references section above for vendor advisories and patch information. Affected products include: Python Python, Redhat Codeready Linux Builder, Redhat Codeready Linux Builder For Ibm Z Systems, Redhat Codeready Linux Builder For Power Little Endian, Redhat Enterprise Linux.