Safety vulnerability ID: 45815
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Python versions 3.6.14, 3.7.11, 3.8.10, 3.9.5 and 3.10.0 include a fix for CVE-2021-3733: There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client.
https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex2.html
Latest version: 0.9.8
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability. See CVE-2021-3733.
MISC:https://bugs.python.org/issue43075: https://bugs.python.org/issue43075
MISC:https://bugzilla.redhat.com/show_bug.cgi?id=1995234: https://bugzilla.redhat.com/show_bug.cgi?id=1995234
MISC:https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb: https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb
MISC:https://github.com/python/cpython/pull/24391: https://github.com/python/cpython/pull/24391
MISC:https://ubuntu.com/security/CVE-2021-3733: https://ubuntu.com/security/CVE-2021-3733
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application