{
  "threat_severity" : "Moderate",
  "public_date" : "2021-08-10T00:00:00Z",
  "bugzilla" : {
    "description" : "python: urllib: Regular expression DoS in AbstractBasicAuthHandler",
    "id" : "1995234",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1995234"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.", "There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability." ],
  "statement" : "Applications that use AbstractBasicAuthHandler, HTTPBasicAuthHandler and ProxyBasicAuthHandler may be affected by this flaw. Other classes may use the vulnerable method http_error_auth_reqed in AbstractBasicAuthHandler as well.\nThis flaw is out of support scope for versions of Python shipped in Red Hat Enterprise Linux 7 base OS and Red Hat Enterprise Linux 6. For more information about support life cycles, please see https://access.redhat.com/support/policy/updates/errata/",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-02T00:00:00Z",
    "advisory" : "RHSA-2021:4057",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python3-0:3.6.8-39.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4160",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python39:3.9-8050020210811100211.d428a79b"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4160",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python39-devel:3.9-8050020210811100211.d428a79b"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-05-10T00:00:00Z",
    "advisory" : "RHSA-2022:1764",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python38:3.8-8060020220120164031.5294be16"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-05-10T00:00:00Z",
    "advisory" : "RHSA-2022:1764",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python38-devel:3.8-8060020220120164031.5294be16"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-05-10T00:00:00Z",
    "advisory" : "RHSA-2022:1821",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python27:2.7-8060020220210185952.8cdc2268"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-02T00:00:00Z",
    "advisory" : "RHSA-2021:4057",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "python3-0:3.6.8-39.el8_4"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-babel-0:2.7.0-12.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-0:3.8.11-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-cryptography-0:2.8-5.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-jinja2-0:2.10.3-6.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-lxml-0:4.4.1-7.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-pip-0:19.3.1-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-urllib3-0:1.25.7-7.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2022-05-02T00:00:00Z",
    "advisory" : "RHSA-2022:1663",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "python27-python-0:2.7.18-4.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-babel-0:2.7.0-12.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-0:3.8.11-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-cryptography-0:2.8-5.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-jinja2-0:2.10.3-6.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-lxml-0:4.4.1-7.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-pip-0:19.3.1-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2021-08-24T00:00:00Z",
    "advisory" : "RHSA-2021:3254",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-python38-python-urllib3-0:1.25.7-7.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "python",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "python",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "python3",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "python36:3.6/python36",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3733\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3733\nhttps://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-14-final\nhttps://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-11-final\nhttps://docs.python.org/3.8/whatsnew/changelog.html#python-3-8-10-final\nhttps://docs.python.org/3.9/whatsnew/changelog.html#python-3-9-5-final" ],
  "name" : "CVE-2021-3733",
  "csaw" : false
}