When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. References: https://github.com/advisories/GHSA-q2q7-5pp4-w6pg
Created mingw-python-urllib3 tracking bugs for this issue: Affects: fedora-34 [bug 1968077] Created python-urllib3 tracking bugs for this issue: Affects: fedora-all [bug 1968076] Affects: openstack-rdo [bug 1968075]
Upstream commit (1.26.x): https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec
Analysis is complete for AAP 1.2 and its found that Ansible Tower (urllib3 v1.24.1) and Pulp Core (urllib3 v1.25.11)are using affected version of urllib3 along with vulnerable functionality. However, directly manipulating auth of url here in Pulp may not be possible. Hence, creating trackers as "affected" -> "delegated".
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254
This issue has been addressed in the following products: Red Hat Automation Hub 4.2 for RHEL 7 Red Hat Automation Hub 4.2 for RHEL 8 Via RHSA-2021:3473 https://access.redhat.com/errata/RHSA-2021:3473
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33503
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162
This issue has been addressed in the following products: Red Hat Satellite 6.10 for RHEL 7 Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702