{"id":"CVE-2021-33503","details":"An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.","aliases":["GHSA-q2q7-5pp4-w6pg","PYSEC-2021-108"],"modified":"2026-05-18T05:53:22.181075130Z","published":"2021-06-29T11:15:07.847Z","related":["ALSA-2021:4160","ALSA-2021:4162","SUSE-FU-2022:0444-1","SUSE-FU-2022:0445-1","SUSE-RU-2021:2194-1","SUSE-SU-2021:2012-1","SUSE-SU-2021:2195-1","openSUSE-SU-2021:2012-1","openSUSE-SU-2024:11277-1","openSUSE-SU-2024:12944-1","openSUSE-SU-2024:14055-1"],"database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"33"},{"last_affected":"34"}],"vendor_product":"fedoraproject:fedora","source":"CPE_FIELD"},{"cpes":["cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"12.4.0.0"}],"vendor_product":"oracle:enterprise_manager_ops_center","source":"CPE_FIELD"},{"cpes":["cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*","cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"17.1"},{"last_affected":"17.2"},{"last_affected":"17.3"}],"vendor_product":"oracle:instantis_enterprisetrack","source":"CPE_FIELD"},{"cpes":["cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"8.8"}],"vendor_product":"oracle:zfs_storage_appliance_kit","source":"CPE_FIELD"}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-q2q7-5pp4-w6pg"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202107-36"},{"type":"FIX","url":"https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/urllib3/urllib3","events":[{"introduced":"7e856c04723036934fe314c63701466e4f42d2ee"},{"fixed":"d1616473df94b94f0f5ad19d2a6608cfe93b7cdf"},{"fixed":"2d4a3fee6de2fa45eb82169361918f759269b4ec"}],"database_specific":{"extracted_events":[{"introduced":"1.25.4"},{"fixed":"1.26.5"}],"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*"}}],"versions":["1.26.4","1.26.3","1.26.2","1.26.1","1.26.0","1.25.8","1.25.7","1.25.6","1.25.5","1.25.4"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-33503.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}