CVE-2021-3733

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2021-3733
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-03-10 17:42:00 UTC
Updated2023-06-30 23:15:00 UTC
DescriptionThere's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.

Risk And Classification

Problem Types: CWE-400

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Fedoraproject Extra Packages For Enterprise Linux 7.0 All All All
Operating System Fedoraproject Fedora 33 All All All
Operating System Fedoraproject Fedora 34 All All All
Operating System Fedoraproject Fedora 35 All All All
Operating System Fedoraproject Fedora 36 All All All
Application Fedoraproject Fedora Extra Packages For Enterprise Linux 7.0 All All All
Operating System Netapp Hci Compute Node Firmware - All All All
Application Netapp Management Services For Element Software And Netapp Hci - All All All
Application Netapp Ontap Select Deploy Administration Utility - All All All
Application Netapp Solidfire Enterprise Sds Hci Storage Node - All All All
Application Python Python All All All All
Application Python Python 3.10.0 - All All
Application Python Python 3.6.0 - All All
Application Python Python 3.7.0 - All All
Application Python Python 3.8.0 - All All
Application Python Python 3.9.0 - All All
Application Redhat Codeready Linux Builder 8.0 All All All
Application Redhat Codeready Linux Builder For Ibm Z Server 8.0 All All All
Application Redhat Codeready Linux Builder For Ibm Z Systems 8.0 All All All
Application Redhat Codeready Linux Builder For Power Little Endian 8.0 All All All
Operating System Redhat Enterprise Linux 8.0 All All All
Operating System Redhat Enterprise Linux Eus 8.4 All All All
Operating System Redhat Enterprise Linux For Ibm Z Systems 8.0 All All All
Operating System Redhat Enterprise Linux For Ibm Z Systems Eus 8.4 All All All
Operating System Redhat Enterprise Linux For Power Little Endian 8.0 All All All
Operating System Redhat Enterprise Linux For Power Little Endian Eus 8.4 All All All
Operating System Redhat Enterprise Linux Server Aus 8.4 All All All
Operating System Redhat Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions 8.4 All All All
Operating System Redhat Enterprise Linux Server Tus 8.4 All All All
Operating System Redhat Enterprise Linux Server Update Services For Sap Solutions 8.4 All All All

References

ReferenceSourceLinkTags
CVE-2021-3733 | Ubuntu MISC ubuntu.com
bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) · python/cpython@7215d1a · GitHub MISC github.com
[SECURITY] [DLA 3477-1] python3.7 security update MLIST lists.debian.org
[SECURITY] [DLA 3432-1] python2.7 security update MLIST lists.debian.org
1995234 – (CVE-2021-3733) CVE-2021-3733 python: urllib: Regular expression DoS in AbstractBasicAuthHandler MISC bugzilla.redhat.com
Issue 43075: CVE-2021-3733: ReDoS in urllib.request - Python tracker MISC bugs.python.org
bpo-43075: Fix ReDoS in request by yetingli · Pull Request #24391 · python/cpython · GitHub MISC github.com
CVE-2021-3733 Python Vulnerability in NetApp Products | NetApp Product Security CONFIRM security.netapp.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 159444 Oracle Enterprise Linux Security Update for python3 (ELSA-2021-4057)
  • 159466 Oracle Enterprise Linux Security Update for python39:3.9 and python39-devel:3.9 (ELSA-2021-4160)
  • 159797 Oracle Enterprise Linux Security Update for python38:3.8 and python38-devel:3.8 (ELSA-2022-1764)
  • 159819 Oracle Enterprise Linux Security Update for python27:2.7 (ELSA-2022-1821)
  • 178882 Debian Security Update for python3.5 (DLA 2808-1)
  • 181802 Debian Security Update for python2.7 (DLA 3432-1)
  • 198609 Ubuntu Security Notification for Python Vulnerabilities (USN-5199-1)
  • 198611 Ubuntu Security Notification for Python Vulnerabilities (USN-5200-1)
  • 239768 Red Hat Update for python3 (RHSA-2021:4057)
  • 239841 Red Hat Update for python39:3.9 and python39-devel:3.9 (RHSA-2021:4160)
  • 240254 Red Hat Update for python27-python and python27-python-pip (RHSA-2022:1663)
  • 240287 Red Hat Update for python38:3.8 and python38-devel:3.8 (RHSA-2022:1764)
  • 240302 Red Hat Update for python27:2.7 (RHSA-2022:1821)
  • 281936 Fedora Security Update for python2.7 (FEDORA-2021-34760089da)
  • 281937 Fedora Security Update for python2.7 (FEDORA-2021-68d0f3043a)
  • 281947 Fedora Security Update for mingw (FEDORA-2021-eef0654c0b)
  • 296062 Oracle Solaris 11.4 Support Repository Update (SRU) 43.113.3 Missing (CPUJAN2022)
  • 353942 Amazon Linux Security Advisory for python : ALAS2-2022-1802
  • 353955 Amazon Linux Security Advisory for python27 : ALAS-2022-1593
  • 377387 Alibaba Cloud Linux Security Update for python3 (ALINUX3-SA-2021:0080)
  • 6000019 Debian Security Update for python3.7 (DLA 3477-1)
  • 671034 EulerOS Security Update for python (EulerOS-SA-2021-2669)
  • 671148 EulerOS Security Update for python2 (EulerOS-SA-2021-2812)
  • 671155 EulerOS Security Update for python3 (EulerOS-SA-2021-2813)
  • 671213 EulerOS Security Update for python3 (EulerOS-SA-2022-1013)
  • 671224 EulerOS Security Update for python3 (EulerOS-SA-2022-1033)
  • 671253 EulerOS Security Update for python (EulerOS-SA-2022-1183)
  • 671296 EulerOS Security Update for python3 (EulerOS-SA-2022-1214)
  • 671306 EulerOS Security Update for python3 (EulerOS-SA-2022-1233)
  • 751252 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2021:3477-1)
  • 751261 SUSE Enterprise Linux Security Update for python36 (SUSE-SU-2021:3486-1)
  • 751268 OpenSUSE Security Update for python (openSUSE-SU-2021:3489-1)
  • 751274 SUSE Enterprise Linux Security Update for python (SUSE-SU-2021:3524-1)
  • 751306 OpenSUSE Security Update for python (openSUSE-SU-2021:1418-1)
  • 751494 OpenSUSE Security Update for python3 (openSUSE-SU-2021:4104-1)
  • 751548 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2021:4015-2)
  • 752098 SUSE Enterprise Linux Security Update for python39 (SUSE-SU-2022:1485-1)
  • 902045 Common Base Linux Mariner (CBL-Mariner) Security Update for python2 (9820)
  • 902673 Common Base Linux Mariner (CBL-Mariner) Security Update for python2 (9820-1)
  • 940315 AlmaLinux Security Update for python3 (ALSA-2021:4057)
  • 940499 AlmaLinux Security Update for python27:2.7 (ALSA-2022:1821)
  • 940557 AlmaLinux Security Update for python38:3.8 and python38-devel:3.8 (ALSA-2022:1764)
  • 940559 AlmaLinux Security Update for python39:3.9 and python39-devel:3.9 (ALSA-2021:4160)
  • 960239 Rocky Linux Security Update for python39:3.9 and python39-devel:3.9 (RLSA-2021:4160)
  • 960252 Rocky Linux Security Update for python38:3.8 and python38-devel:3.8 (RLSA-2022:1764)
  • 960259 Rocky Linux Security Update for python27:2.7 (RLSA-2022:1821)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report