hvac icon indicating copy to clipboard operation
hvac copied to clipboard
verified publisher icon hvac

CVE-2021-33503 (High) detected in urllib3-1.25.11-py2.py3-none-any.whl

Open simin-xia opened this issue 4 years ago • 1 comments

CVE-2021-33503 - High Severity Vulnerability

Vulnerable Library - urllib3-1.25.11-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/56/aa/4ef5aa67a9a62505db124a5cb5262332d1d4153462eb8fd89c9fa41e5d92/urllib3-1.25.11-py2.py3-none-any.whl

Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/urllib3/urllib3/security/advisories/GHSA-q2q7-5pp4-w6pg

Release Date: 2021-06-29

Fix Resolution: urllib3 - 1.26.5

simin-xia avatar Mar 03 '22 13:03 simin-xia

@adammike @tachyonknave @colin-pm I see 0.11.3 will include the fix to resolve this vulnerability if I am correct. You know when 0.11.3 will be released? I see the change log states "0.11.3 (May 6th, 2022)" but latest release on the HVAC site is still 0.11.2: https://pypi.org/project/hvac/#files

cjin62 avatar Sep 16 '22 00:09 cjin62

Resolved by #854

briantist avatar Jun 25 '23 02:06 briantist