CVE-2021-3733: ReDoS in urllib.request

The regular expression used by the AbstractBasicAuthHandler class of the urllib module is inefficient and can be abused by an attacker with a maliciuous HTTP server to cause a denial of service.

Dates:

• Disclosure date: 2021-01-30 (Python issue bpo-43075 reported)

Fixed In

• Python 3.6.14 (2021-06-28) fixed by commit 3fbe961 (branch 3.6) (2021-05-06)
• Python 3.7.11 (2021-06-28) fixed by commit ada1499 (branch 3.7) (2021-05-04)
• Python 3.8.10 (2021-05-03) fixed by commit e7654b6 (branch 3.8) (2021-04-07)
• Python 3.9.5 (2021-05-03) fixed by commit a21d4fb (branch 3.9) (2021-04-07)
• Python 3.10.0 (2021-10-04) fixed by commit 7215d1a (branch 3.10) (2021-04-07)

Python issue

CVE-2021-3733: ReDoS in urllib.request.

• Python issue: bpo-43075
• Creation date: 2021-01-30
• Reporter: yeting li

Timeline

Timeline using the disclosure date 2021-01-30 as reference:

• 2021-01-30: Python issue bpo-43075 reported by yeting li
• 2021-04-07 (+67 days): commit 7215d1a (branch 3.10)
• 2021-04-07 (+67 days): commit a21d4fb (branch 3.9)
• 2021-04-07 (+67 days): commit e7654b6 (branch 3.8)
• 2021-05-03 (+93 days): Python 3.8.10 released
• 2021-05-03 (+93 days): Python 3.9.5 released
• 2021-05-04 (+94 days): commit ada1499 (branch 3.7)
• 2021-05-06 (+96 days): commit 3fbe961 (branch 3.6)
• 2021-06-28 (+149 days): Python 3.6.14 released
• 2021-06-28 (+149 days): Python 3.7.11 released
• 2021-10-04: Python 3.10.0 released

Links

• https://access.redhat.com/security/cve/cve-2021-3733
• https://nvd.nist.gov/vuln/detail/CVE-2021-3733/