MEDIUM 6.5
CVE-2021-3733
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
CVSS v3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
0.6%
percentile 70.4%
Affected tracked apps
Vulnerable CPE configurations
| Vendor | Product | Platform | Versions | CPE 2.3 URI |
|---|---|---|---|---|
| python | python | Windows | <3.6.14 | cpe:2.3:a:python:python:*:*:*:*:*:*:*:* |
| python | python | Windows | ≥3.7.0 <3.7.11 | cpe:2.3:a:python:python:*:*:*:*:*:*:*:* |
| python | python | Windows | ≥3.8.0 <3.8.10 | cpe:2.3:a:python:python:*:*:*:*:*:*:*:* |
| python | python | Windows | ≥3.9.0 <3.9.5 | cpe:2.3:a:python:python:*:*:*:*:*:*:*:* |
| python | python | Windows | — | cpe:2.3:a:python:python:3.10.0:-:*:*:*:*:*:* |