CVE-2021-3733 (GCVE-0-2021-3733)

Vulnerability from cvelistv5 – Published: 2022-03-07 00:00 – Updated: 2025-11-03 21:45
VLAI
Summary
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
Severity
No CVSS data available.
CWE
  • CWE-400 - - Uncontrolled Resource Consumption
Assigner
References
Impacted products
Vendor Product Version
n/a python Affected: Fixed in python v3.6.14, python v3.7.11, python v3.8.10, python v3.9.5.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T21:45:06.299Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugs.python.org/issue43075"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1995234"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/python/cpython/pull/24391"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://ubuntu.com/security/CVE-2021-3733"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220407-0001/"
          },
          {
            "name": "[debian-lts-announce] 20230524 [SECURITY] [DLA 3432-1] python2.7 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html"
          },
          {
            "name": "[debian-lts-announce] 20230630 [SECURITY] [DLA 3477-1] python3.7 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "python",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in python v3.6.14, python v3.7.11, python v3.8.10, python v3.9.5."
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "There\u0027s a flaw in urllib\u0027s AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 - Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-30T00:00:00.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://bugs.python.org/issue43075"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1995234"
        },
        {
          "url": "https://github.com/python/cpython/pull/24391"
        },
        {
          "url": "https://ubuntu.com/security/CVE-2021-3733"
        },
        {
          "url": "https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220407-0001/"
        },
        {
          "name": "[debian-lts-announce] 20230524 [SECURITY] [DLA 3432-1] python2.7 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html"
        },
        {
          "name": "[debian-lts-announce] 20230630 [SECURITY] [DLA 3477-1] python3.7 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-3733",
    "datePublished": "2022-03-07T00:00:00.000Z",
    "dateReserved": "2021-08-23T00:00:00.000Z",
    "dateUpdated": "2025-11-03T21:45:06.299Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-3733",
      "date": "2026-05-30",
      "epss": "0.00629",
      "percentile": "0.70604"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-3733\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2022-03-10T17:42:59.623\",\"lastModified\":\"2025-11-03T22:15:50.833\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"There\u0027s a flaw in urllib\u0027s AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.\"},{\"lang\":\"es\",\"value\":\"Se presenta un fallo en la clase AbstractBasicAuthHandler de urllib. Un atacante que controle un servidor HTTP malicioso al que se conecte un cliente HTTP (como un navegador web), podr\u00eda desencadenar una Denegaci\u00f3n de Servicio por Expresi\u00f3n Regular (ReDOS) durante una petici\u00f3n de autenticaci\u00f3n con una carga \u00fatil especialmente dise\u00f1ada que sea enviada por el servidor al cliente. La mayor amenaza que supone este fallo es para la disponibilidad de la aplicaci\u00f3n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:N/A:P\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.6.14\",\"matchCriteriaId\":\"C0AA4B12-CF3C-4327-983C-9067D7D97B57\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.7.0\",\"versionEndExcluding\":\"3.7.11\",\"matchCriteriaId\":\"63D83236-D590-43D4-82C0-B0C656E02A29\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.8.0\",\"versionEndExcluding\":\"3.8.10\",\"matchCriteriaId\":\"2F85FAB1-4A42-447A-AC58-ED818123BDDC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.9.0\",\"versionEndExcluding\":\"3.9.5\",\"matchCriteriaId\":\"91FD0AF9-B011-4238-8CF1-BDEA0399AF82\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:python:3.10.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"36027ED3-D643-4ACE-A43C-725C8E0BD99F\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:codeready_linux_builder:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"93A089E2-D66E-455C-969A-3140D991BAF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4131A8B1-AC09-4C2D-8C7A-8D4AA10CB8FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F48D0CB-CB06-4456-B918-6549BC6C7892\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F4CFF558-3C47-480D-A2F0-BABF26042943\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0E3F09B5-569F-4C58-9FCA-3C0953D107B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"87C21FE1-EA5C-498F-9C6C-D05F91A88217\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8C9BD9AE-46FC-4609-8D99-A3CFE91D58D1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"47811209-5CE5-4375-8391-B0A7F6A0E420\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"983533DD-3970-4A37-9A9C-582BD48AA1E5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E28F226A-CBC7-4A32-BE58-398FA5B42481\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"22D095ED-9247-4133-A133-73B7668565E4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AC10D919-57FD-4725-B8D2-39ECB476902F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BC6DD887-9744-43EA-8B3C-44C6B6339590\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3D9C7598-4BB4-442A-86DF-EEDE041A4CC7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A930E247-0B43-43CB-98FF-6CE7B8189835\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FDAC85F0-93AF-4BE3-AE1A-8ADAF1CDF9AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E7CF3019-975D-40BB-A8A4-894E62BD3797\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:solidfire\\\\,_enterprise_sds_\\\\\u0026_hci_storage_node:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DAA3919C-B2B1-4CB5-BA76-7A079AAFFC52\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netapp:hci_compute_node_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F921BC85-568E-4B69-A3CD-CF75C76672F1\"}]}]}],\"references\":[{\"url\":\"https://bugs.python.org/issue43075\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1995234\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/python/cpython/pull/24391\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20220407-0001/\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://ubuntu.com/security/CVE-2021-3733\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://bugs.python.org/issue43075\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1995234\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/python/cpython/pull/24391\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20220407-0001/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://ubuntu.com/security/CVE-2021-3733\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.