CVE-2021-3733: ReDoS in urllib.request¶
The regular expression used by the AbstractBasicAuthHandler class of the urllib module is inefficient and can be abused by an attacker with a maliciuous HTTP server to cause a denial of service.
Dates:
- Disclosure date: 2021-01-30 (Python issue bpo-43075 reported)
Fixed In¶
- Python 3.6.14 (2021-06-28) fixed by commit 3fbe961 (branch 3.6) (2021-05-06)
- Python 3.7.11 (2021-06-28) fixed by commit ada1499 (branch 3.7) (2021-05-04)
- Python 3.8.10 (2021-05-03) fixed by commit e7654b6 (branch 3.8) (2021-04-07)
- Python 3.9.5 (2021-05-03) fixed by commit a21d4fb (branch 3.9) (2021-04-07)
- Python 3.10.0 (2021-10-04) fixed by commit 7215d1a (branch 3.10) (2021-04-07)
Python issue¶
CVE-2021-3733: ReDoS in urllib.request.
- Python issue: bpo-43075
- Creation date: 2021-01-30
- Reporter: yeting li
CVE-2021-3733¶
There’s a flaw in urllib’s AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
- CVE ID: CVE-2021-3733
- Published: 2022-03-10
- CVSS Score: 4.0
Timeline¶
Timeline using the disclosure date 2021-01-30 as reference:
- 2021-01-30: Python issue bpo-43075 reported by yeting li
- 2021-04-07 (+67 days): commit 7215d1a (branch 3.10)
- 2021-04-07 (+67 days): commit a21d4fb (branch 3.9)
- 2021-04-07 (+67 days): commit e7654b6 (branch 3.8)
- 2021-05-03 (+93 days): Python 3.8.10 released
- 2021-05-03 (+93 days): Python 3.9.5 released
- 2021-05-04 (+94 days): commit ada1499 (branch 3.7)
- 2021-05-06 (+96 days): commit 3fbe961 (branch 3.6)
- 2021-06-28 (+149 days): Python 3.6.14 released
- 2021-06-28 (+149 days): Python 3.7.11 released
- 2021-10-04: Python 3.10.0 released
- 2022-03-10 (+404 days): CVE-2021-3733 published