Published:2021/06/07  Last Updated:2021/06/07

JVNVU#92413403
urllib3 vulnerable to Regular expression Denial-of-Service (ReDoS)

Overview

urllib3 contains a Regular expression Denial-of-Service (DoS) vulnerability.

Products Affected

  • urllib3 versions prior to v1.26.5

Description

urllib3, an HTTP client module for Python, contains a Regular expression Denial-of-Service (ReDoS) vulnerability (CWE-400, CVE-2021-33503) due to catastrophic backtracking while processing a malicious URL.

Impact

A remote attacker may be able to cause a denial-of-service (DoS).

Solution

Update the Software
Apply the appropriate update according to the information provided by the developer.
Developer has released the fixed version v1.26.5.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score: 5.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

Nariyoshi Chida of NTT Secure Platform Laboratories reported this vulnerability to urllib3 community and coordinated. JPCERT/CC published this advisory in order to notify users of this vulnerability.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia