Lucene search

K

GitHub Advisory DatabaseGHSA-Q2Q7-5PP4-W6PG

HistoryJun 01, 2021 - 9:19 p.m.

Catastrophic backtracking in URL authority parser when passed URL containing many @ characters

2021-06-0121:19:32

CWE-400

GitHub Advisory Database

github.com

65

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.003 Low

EPSS

Percentile

69.2%

Impact

When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Patches

The issue has been fixed in urllib3 v1.26.5.

References

For more information

If you have any questions or comments about this advisory:

Ask in our community Discord
Email [email protected]

Affected configurations

Vulners

Node

github_advisory_databaseurllib3Range<1.26.5

CPENameOperatorVersion
urllib3lt1.26.5

References

github.com/advisories/GHSA-q2q7-5pp4-w6pg

github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec

github.com/urllib3/urllib3/commit/5b047b645f5f93900d5e2fc31230848c25eb1f5f#diff-52026d639119bf1e0364836b4e8a18bd9ed3c95c6ba39b26534a5057a65e35bbR65

github.com/urllib3/urllib3/security/advisories/GHSA-q2q7-5pp4-w6pg

lists.fedoraproject.org/archives/list/[email protected]/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/

lists.fedoraproject.org/archives/list/[email protected]/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/

nvd.nist.gov/vuln/detail/CVE-2021-33503

security.gentoo.org/glsa/202107-36

www.oracle.com/security-alerts/cpuoct2021.html

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.003 Low

EPSS

Percentile

69.2%

Related for GHSA-Q2Q7-5PP4-W6PG