Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2021-33503

Published: 29 June 2021

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Notes

AuthorNote
mdeslaur
the python-pip package bundles python-urllib3 binaries
when built. After updating python-urllib3, a no-change
rebuild of python-pip is required.
sbeattie
python-pip 20.3.4-4 build in impish is built against
python3-urllib3 1.26.5-1~exp1, and thus impish and newer is fixed.
introduced in urllib3 in
0aa3e24fcd75f1bb59ab159e9f8adb44055b2271 or newer

Priority

Low

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
python-urllib3
Launchpad, Ubuntu, Debian
bionic Not vulnerable

trusty Not vulnerable

focal
Released (1.25.8-2ubuntu0.2)
groovy Ignored
(end of life)
jammy Not vulnerable
(1.26.5-1~exp1)
kinetic Not vulnerable
(1.26.5-1~exp1)
upstream
Released (1.26.5)
xenial Not vulnerable

hirsute Ignored
(end of life)
impish Not vulnerable
(1.26.5-1~exp1)
python-pip
Launchpad, Ubuntu, Debian
focal
Released (20.0.2-5ubuntu1.7)
groovy Ignored
(end of life)
hirsute Ignored
(end of life)
jammy Not vulnerable
(20.3.4-4)
kinetic Not vulnerable
(20.3.4-4)
upstream
Released (21.2)
bionic Not vulnerable
(embedded urllib3 not affected)
impish Not vulnerable
(20.3.4-4)
trusty Not vulnerable
(embedded urllib3 not affected)
xenial Not vulnerable
(embedded urllib3 not affected)
Patches:
upstream: https://github.com/pypa/pip/commit/5394d340fb3a0b31a8e1909dd6872ecc36f75fbe (21.2)

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H