[Japanese]

JVNDB-2021-001756

urllib3 vulnerable to Regular expression Denial-of-Service (ReDoS)

Overview

urllib3 contains a Regular expression Denial-of-Service (DoS) vulnerability.

urllib3, an HTTP client module for Python, contains a Regular expression Denial-of-Service (ReDoS) vulnerability (CWE-400, CVE-2021-33503) due to catastrophic backtracking while processing a malicious URL.

Nariyoshi Chida of NTT Secure Platform Laboratories reported this vulnerability to urllib3 community and coordinated. JPCERT/CC published this advisory in order to notify users of this vulnerability.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [NVD Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
Affected Products


Python Software Foundation
  • urllib3 versions prior to v1.26.5

Impact

A remote attacker may be able to cause a denial-of-service (DoS).
Solution

[Update the Software]
Apply the appropriate update according to the information provided by the developer.
Developer has released the fixed version v1.26.5.
Vendor Information

Python Software Foundation
CWE (What is CWE?)

  1. Uncontrolled Resource Consumption ('Resource Exhaustion')(CWE-400) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-33503
References

  1. JVN : JVNVU#92413403
  2. National Vulnerability Database (NVD) : CVE-2021-33503
Revision History

  • [2021/06/08]
      Web page was published

Date Public2021/06/07
Date First Published2021/06/08
Date Last Updated2021/06/08