PT-2021-6018 · Python+10 · Urllib3+10

Published

2020-06-11

·

Updated

2026-05-19

·

CVE-2021-33503

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions urllib3 versions prior to 1.26.5
Description The issue is related to an HTTP client vulnerability in Python urllib3, which is associated with uncontrolled resource consumption. Exploitation of the vulnerability may allow a remote attacker to cause a denial of service. The vulnerability occurs when a URL containing many @ characters in the authority component is provided, causing the authority regular expression to exhibit catastrophic backtracking.
Recommendations For versions prior to 1.26.5, update to version 1.26.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of URLs with multiple @ characters in the authority component to minimize the risk of exploitation. Avoid using URLs that may cause catastrophic backtracking in the authority regular expression until the issue is resolved.

Fix

DoS

Resource Exhaustion

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2021:4160
ALSA-2021:4162
ALT-PU-2020-2173
ALT-PU-2024-13325
ALT-PU-2024-13327
ALT-PU-2024-13578
AZL-6821
BDU:2022-00586
CESA-2021_4160
CESA-2021_4162
CVE-2021-33503
GHSA-Q2Q7-5PP4-W6PG
MGASA-2021-0371
MGASA-2021-0377
OESA-2021-1260
OESA-2022-1944
OESA-2022-1945
OPENSUSE-SU-2021:2012-1
OPENSUSE-SU-2021_2012-1
OPENSUSE-SU-2024:11277-1
OPENSUSE-SU-2024:12944-1
OPENSUSE-SU-2024:14055-1
PYSEC-2021-108
RHSA-2021:3254
RHSA-2021:3473
RHSA-2021:4160
RHSA-2021:4162
RHSA-2021:4702
RHSA-2021_4160
RHSA-2021_4162
RLSA-2021:4160
RLSA-2021:4162
SUSE-FU-2022:0444-1
SUSE-FU-2022:0445-1
SUSE-RU-2021:2194-1
SUSE-SU-2021:2012-1
SUSE-SU-2021:2195-1
SUSE-SU-2021_2012-1
USN-5812-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Urllib3