GHSA-q2q7-5pp4-w6pg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q2q7-5pp4-w6pg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-q2q7-5pp4-w6pg/GHSA-q2q7-5pp4-w6pg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q2q7-5pp4-w6pg
- Aliases
- Published
- 2021-06-01T21:19:32Z
- Modified
- 2024-02-16T08:11:19.623969Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Catastrophic backtracking in URL authority parser when passed URL containing many @ characters
- Details
-
Impact
When provided with a URL containing many
@characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.Patches
The issue has been fixed in urllib3 v1.26.5.
References
For more information
If you have any questions or comments about this advisory: * Ask in our community Discord * Email sethmichaellarson@gmail.com
- References
-
- https://github.com/urllib3/urllib3/security/advisories/GHSA-q2q7-5pp4-w6pg
- https://nvd.nist.gov/vuln/detail/CVE-2021-33503
- https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec
- https://github.com/urllib3/urllib3/commit/5b047b645f5f93900d5e2fc31230848c25eb1f5f#diff-52026d639119bf1e0364836b4e8a18bd9ed3c95c6ba39b26534a5057a65e35bbR65
- https://github.com/advisories/GHSA-q2q7-5pp4-w6pg
- https://github.com/urllib3/urllib3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73
- https://security.gentoo.org/glsa/202107-36
- https://www.oracle.com/security-alerts/cpuoct2021.html
Affected packages
PyPI / urllib3
Package
- Name
- urllib3
- View open source insights on deps.dev
- Purl
- pkg:pypi/urllib3