Published:2021/06/07 Last Updated:2021/06/07
JVNVU#92413403
urllib3 vulnerable to Regular expression Denial-of-Service (ReDoS)
Overview
urllib3 contains a Regular expression Denial-of-Service (DoS) vulnerability.
Products Affected
- urllib3 versions prior to v1.26.5
Description
urllib3, an HTTP client module for Python, contains a Regular expression Denial-of-Service (ReDoS) vulnerability (CWE-400, CVE-2021-33503) due to catastrophic backtracking while processing a malicious URL.
Impact
A remote attacker may be able to cause a denial-of-service (DoS).
Solution
Update the Software
Apply the appropriate update according to the information provided by the developer.
Developer has released the fixed version v1.26.5.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score:
5.3
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Nariyoshi Chida of NTT Secure Platform Laboratories reported this vulnerability to urllib3 community and coordinated. JPCERT/CC published this advisory in order to notify users of this vulnerability.