Skip to main content

Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

© 2026 Mondoo, Inc.

Privacy Policy Terms of Service Imprint

Vulnerability Intelligence

CVE-2021-3733 | Mondoo Vulnerability Intelligence

Vulnerability IntelligenceCVE-2021-3733

CVE-2021-3733

MEDIUM6.5

There's a flaw in urllib's AbstractBasicAuthHandler class

Published Mar 7, 2022

Modified 4 months ago

Details

There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.

References

https://bugs.python.org/issue43075

https://bugzilla.redhat.com/show_bug.cgi?id=1995234

https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb

https://github.com/python/cpython/pull/24391

https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html

https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html

https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html

https://security.netapp.com/advisory/ntap-20220407-0001/

https://ubuntu.com/security/CVE-2021-3733

https://www.cve.org/CVERecord?id=CVE-2021-3733

CVSS Analysis

CVSS v3.1

6.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

LowPR:L

User Interaction

NoneUI:N

Scope

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

NoneI:N

Availability

HighA:H

6.5/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Weakness Type (CWE)

Resource Management

Resource Exhaustion

Ecosystems

Timeline

PublishedMar 7, 2022

ModifiedNov 3, 2025