CVE-2021-3733
Published: 2 September 2021
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
Notes
| Author | Note |
|---|---|
| leosilva | code affected in hirsute and devel is already patched, so both releases in python3.9 are not affected. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python3.10 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
| hirsute |
Released
(3.10.0~b1-3~21.04)
|
|
| impish |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| kinetic |
Not vulnerable
|
|
| lunar |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(end of standard support)
|
|
| bionic |
Does not exist
|
|
| mantic |
Does not exist
|
|
|
python3.4 Launchpad, Ubuntu, Debian |
jammy |
Does not exist
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Released
(3.4.3-1ubuntu1~14.04.7+esm11)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
| bionic |
Does not exist
|
|
| focal |
Does not exist
|
|
| impish |
Does not exist
|
|
| mantic |
Does not exist
|
|
|
python3.5 Launchpad, Ubuntu, Debian |
impish |
Does not exist
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| bionic |
Does not exist
|
|
| focal |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| trusty |
Needed
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(3.5.2-2ubuntu0~16.04.13+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| mantic |
Does not exist
|
|
|
python3.6 Launchpad, Ubuntu, Debian |
bionic |
Released
(3.6.9-1~18.04ubuntu1.6)
|
| focal |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(end of standard support)
|
|
| mantic |
Does not exist
|
|
|
python3.7 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| upstream |
Needs triage
|
|
| trusty |
Does not exist
|
|
| xenial |
Ignored
(end of standard support)
|
|
| bionic |
Released
(3.7.5-2ubuntu1~18.04.2)
|
|
| mantic |
Does not exist
|
|
|
python3.8 Launchpad, Ubuntu, Debian |
bionic |
Released
(3.8.0-3ubuntu1~18.04.2)
|
| focal |
Released
(3.8.10-0ubuntu1~20.04)
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(end of standard support)
|
|
| mantic |
Does not exist
|
|
|
python3.9 Launchpad, Ubuntu, Debian |
jammy |
Does not exist
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| impish |
Not vulnerable
|
|
| bionic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| xenial |
Ignored
(end of standard support)
|
|
| upstream |
Released
(3.9.7-1)
|
|
| focal |
Released
(3.9.5-3~20.04.1)
|
|
| hirsute |
Not vulnerable
|
|
| mantic |
Does not exist
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3733
- https://bugs.python.org/issue43075
- https://github.com/python/cpython/pull/24391
- https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb1defe1 (master)
- https://github.com/python/cpython/commit/a21d4fbd549ec9685068a113660553d7f80d9b09 (3.9.5)
- https://github.com/python/cpython/commit/e7654b6046090914a8323931ed759a94a5f85d60 (3.8.10)
- https://github.com/python/cpython/commit/ada14995870abddc277addf57dd690a2af04c2da (3.7.11)
- https://github.com/python/cpython/commit/3fbe96123aeb66664fa547a8f6022efa2dc8788f (3.6.14)
- https://ubuntu.com/security/notices/USN-5083-1
- https://ubuntu.com/security/notices/USN-5199-1
- https://ubuntu.com/security/notices/USN-5200-1
- NVD
- Launchpad
- Debian