CVE-2021-33503
Publication date 29 June 2021
Last updated 25 August 2025
Ubuntu priority
Description
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-urllib3 | ||
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Fixed 1.25.8-2ubuntu0.2
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| python-pip | ||
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Fixed 20.0.2-5ubuntu1.7
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Notes
mdeslaur
the python-pip package bundles python-urllib3 binaries when built. After updating python-urllib3, a no-change rebuild of python-pip is required.
sbeattie
python-pip 20.3.4-4 build in impish is built against python3-urllib3 1.26.5-1~exp1, and thus impish and newer is fixed. introduced in urllib3 in 0aa3e24fcd75f1bb59ab159e9f8adb44055b2271 or newer
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-5812-1
- urllib3 vulnerability
- 19 January 2023