Bug 1968074 (CVE-2021-33503)
Summary: | CVE-2021-33503 python-urllib3: ReDoS in the parsing of authority part of URL | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | amackenz, amasferr, aos-bugs, apevec, aurelien, bbuckingham, bcoca, bcourt, bdettelb, bkearney, bmontgom, btotty, caswilli, chazlett, chousekn, cmeyers, cstratak, davidn, drieden, ehelms, eparis, gblomqui, hhorak, hvyas, infra-sig, jburrell, jcammara, jeremy, jhardy, jjoyce, jnakfour, jobarker, jokerman, jorton, jschluet, jsherril, kaycoth, lbalhar, lhh, lpeer, lzap, mabashia, manisandro, mburns, mhulan, mkudlej, mmccune, myarboro, nmoumoul, notting, nstielau, orabin, osapryki, pcreech, python-maint, rchan, relrod, rfreiman, rjerrido, rpetrell, sclewis, sdoran, slinaber, smcdonal, sokeeffe, sponnaga, tjochec, tkuratom, tomckay, torsava |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | urllib3 1.26.5 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in python-urllib3. When provided with a URL containing many @ characters in the authority component, the authority's regular expression exhibits catastrophic backtracking. This flaw causes a denial of service if a URL is passed as a parameter or redirected via an HTTP redirect. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-09-09 00:21:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1973656, 1968075, 1968076, 1968077, 1968487, 1970176, 1970952, 1970953, 1970954, 1970955, 1970956, 1972639, 1973653, 1973654, 1973655, 1973657, 1973658, 1974305 | ||
Bug Blocks: | 1968078 |
Description
Pedro Sampaio
2021-06-04 21:09:18 UTC
Created mingw-python-urllib3 tracking bugs for this issue: Affects: fedora-34 [bug 1968077] Created python-urllib3 tracking bugs for this issue: Affects: fedora-all [bug 1968076] Affects: openstack-rdo [bug 1968075] Upstream commit (1.26.x): https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec Analysis is complete for AAP 1.2 and its found that Ansible Tower (urllib3 v1.24.1) and Pulp Core (urllib3 v1.25.11)are using affected version of urllib3 along with vulnerable functionality. However, directly manipulating auth of url here in Pulp may not be possible. Hence, creating trackers as "affected" -> "delegated". This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254 This issue has been addressed in the following products: Red Hat Automation Hub 4.2 for RHEL 7 Red Hat Automation Hub 4.2 for RHEL 8 Via RHSA-2021:3473 https://access.redhat.com/errata/RHSA-2021:3473 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33503 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162 This issue has been addressed in the following products: Red Hat Satellite 6.10 for RHEL 7 Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702 |