An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - opencensus_ext_logging-0.1.0-py2.py3-none-any.whl
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Vulnerabilities
Details
CVE-2021-33503
### Vulnerable Library - urllib3-1.26.4-py2.py3-none-any.whlHTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/09/c6/d3e3abe5b4f4f16cf0dfc9240ab7ce10c2baa0e268989a4e3ec19e90c84e/urllib3-1.26.4-py2.py3-none-any.whl
Dependency Hierarchy: - opencensus_ext_logging-0.1.0-py2.py3-none-any.whl (Root Library) - opencensus-0.7.12-py2.py3-none-any.whl - google_api_core-1.26.3-py2.py3-none-any.whl - requests-2.25.1-py2.py3-none-any.whl - :x: **urllib3-1.26.4-py2.py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 746ed83ebdd8ae6f3a8cc4520617776b5d61397e
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Publish Date: 2021-06-29
URL: CVE-2021-33503
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/urllib3/urllib3/security/advisories/GHSA-q2q7-5pp4-w6pg
Release Date: 2021-06-29
Fix Resolution: urllib3 - 1.26.5