CVE-2021-21240

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions httplib2 versions prior to 0.19.0

Description A malicious server which responds with long series of xa0 characters in the www-authenticate header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. The issue arises due to catastrophic backtracking in the vulnerable regular expression, leading to cubic complexity and significant processing delays.

Recommendations For versions prior to 0.19.0, update to version 0.19.0, which contains a new implementation of auth headers parsing using the pyparsing library. As a temporary workaround, consider setting httplib2.USE WWW AUTH STRICT PARSING to True to mitigate the issue.

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

BDU:2022-00801

CVE-2021-21240

GHSA-93XJ-8MRV-444M

MGASA-2021-0122

OESA-2021-1126

OPENSUSE-SU-2021:0772-1

OPENSUSE-SU-2021:0796-1

OPENSUSE-SU-2021:1806-1

OPENSUSE-SU-2021_0772-1

OPENSUSE-SU-2021_1806-1

OPENSUSE-SU-2024:11231-1

OPENSUSE-SU-2024:14141-1

PYSEC-2021-16

RHSA-2021:2116

SUSE-SU-2021:1637-1

SUSE-SU-2021:1779-1

SUSE-SU-2021:1806-1

SUSE-SU-2021:1807-1

SUSE-SU-2021:1808-1

Affected Products

Astra Linux

Debian

Red Os

Suse

Httplib2

CVE-2021-21240

Weakness Enumeration

Related Identifiers

Affected Products

References · 51