CVE-2021-3733

Updated: 2025-11-19 05:39:55.088039

Description:

There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x MEDIUM 4.0
CVSS Version 3.x MEDIUM 6.5

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement
Alpine Linux 3.22 python 3.9 6.5 MEDIUM Not Vulnerable 2026-02-02 14:29:58 Not affected: the Python runtime in use is 3.9.23, which already includes the upstream fix for the u...
Alpine Linux 3.22 python 3.7 6.5 MEDIUM Not Vulnerable 2026-02-16 14:41:28 Not affected: the Python runtime in use is 3.9.23, which already includes the upstream fix for the u...
Alpine Linux 3.22 python 3.8 6.5 MEDIUM Not Vulnerable 2026-02-07 04:07:55 Not affected: the Python runtime in use is 3.9.23, which already includes the upstream fix for the u...
Alpine Linux 3.22 python 3.6 6.5 MEDIUM Not Vulnerable 2026-01-27 16:43:57 Not affected: the Python runtime in use is 3.9.23, which already includes the upstream fix for the u...
Debian 10 python 3.6 6.5 MEDIUM Already Fixed 2025-09-09 19:26:50
Debian 10 python 2.7 6.5 MEDIUM Released CLSA-2025:1760705864 2025-10-17 14:05:45
Debian 11 python 2.7 6.5 MEDIUM Released CLSA-2025:1760705964 2025-10-17 14:05:44
Debian 11 python 3.6 6.5 MEDIUM Already Fixed 2025-09-09 19:26:49
Debian 12 python 3.9 6.5 MEDIUM Not Vulnerable 2025-12-11 07:44:52 Not affected: the Python runtime in use is 3.9.23, which already includes the upstream fix for the u...
Debian 12 python 3.7 6.5 MEDIUM Not Vulnerable 2025-12-11 07:46:30 Not affected: the Python runtime in use is 3.9.23, which already includes the upstream fix for the u...
Total: 36