CVE-2021-33503: Catastrophic backtracking in URL authority parser when passed URL containing many @ characters
(updated )
When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
References
- github.com/advisories/GHSA-q2q7-5pp4-w6pg
- github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2021-108.yaml
- github.com/urllib3/urllib3
- github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec
- github.com/urllib3/urllib3/commit/5b047b645f5f93900d5e2fc31230848c25eb1f5f
- github.com/urllib3/urllib3/security/advisories/GHSA-q2q7-5pp4-w6pg
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73
- nvd.nist.gov/vuln/detail/CVE-2021-33503
- security.gentoo.org/glsa/202107-36
- www.oracle.com/security-alerts/cpuoct2021.html
Detect and mitigate CVE-2021-33503 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →