CVE-2021-3733: Medium severity Python Python vulnerability

Published Aug 10, 2021
·
Updated

Last updated 25 August 2025

Other sources

Python is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the AbstractBasicAuthHandler class in urllib. By persuading a victim to visit a specially-crafted web site, a remote attacker could exploit this vulnerability to cause a denial of service condition.

IBM

The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

References:

https://bugs.python.org/issue43075 https://github.com/python/cpython/pull/24391

Red Hat

There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.

Affected Software

45 affected componentsFixes available
redhat/python3<0:3.6.8-39.el8_4
0:3.6.8-39.el8_4
redhat/rh-python38-babel<0:2.7.0-12.el7
0:2.7.0-12.el7
redhat/rh-python38-python<0:3.8.11-2.el7
0:3.8.11-2.el7
redhat/rh-python38-python-cryptography<0:2.8-5.el7
0:2.8-5.el7
redhat/rh-python38-python-jinja2<0:2.10.3-6.el7
0:2.10.3-6.el7
redhat/rh-python38-python-lxml<0:4.4.1-7.el7
0:4.4.1-7.el7
redhat/rh-python38-python-pip<0:19.3.1-2.el7
0:19.3.1-2.el7
redhat/rh-python38-python-urllib3<0:1.25.7-7.el7
0:1.25.7-7.el7
redhat/python27-python<0:2.7.18-4.el7
0:2.7.18-4.el7
redhat/python<3.6.14
3.6.14
redhat/python<3.7.11
3.7.11
redhat/python<3.8.10
3.8.10
redhat/python<3.9.5
3.9.5
Python Python<3.6.14
Python Python>=3.7.0<3.7.11
Python Python>=3.8.0<3.8.10
Python Python>=3.9.0<3.9.5
Python Python=3.10.0
redhat Codeready Linux Builder=8.0
redhat Codeready Linux Builder For Ibm Z Systems=8.0
redhat Codeready Linux Builder For Power Little Endian=8.0
redhat Enterprise Linux=8.0
redhat Enterprise Linux Eus=8.4
redhat Enterprise Linux For Ibm Z Systems=8.0
redhat Enterprise Linux For Ibm Z Systems Eus=8.4
redhat Enterprise Linux For Power Little Endian=8.0
redhat Enterprise Linux For Power Little Endian Eus=8.4
redhat Enterprise Linux Server Aus=8.4
redhat Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions=8.4
redhat Enterprise Linux Server Tus=8.4
redhat Enterprise Linux Server Update Services For Sap Solutions=8.4
Fedoraproject Extra Packages For Enterprise Linux=7.0
Fedoraproject Fedora=33
Fedoraproject Fedora=34
Fedoraproject Fedora=35
Fedoraproject Fedora=36
NetApp Management Services For Element Software And Netapp Hci
NetApp ONTAP Select Deploy administration utility
NetApp Solidfire\, Enterprise Sds \& Hci Storage Node
NetApp Hci Compute Node Firmware
IBM Cognos Analytics 11.2.x<=IBM Cognos Analytics 11.2.x
IBM Cognos Analytics 11.1.x<=IBM Cognos Analytics 11.1.x
debian/pypy3
7.3.5+dfsg-2+deb11u27.3.5+dfsg-2+deb11u57.3.11+dfsg-2+deb12u37.3.19+dfsg-27.3.20+dfsg-4
debian/python2.7<=2.7.18-8+deb11u1
debian/python3.9<=3.9.2-1
3.9.2-1+deb11u3

Remediation

Patch Available

https://bugs.python.org/issue43075

Patch Available

https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb

Patch Available

https://github.com/python/cpython/pull/24391

Patch Available

https://ubuntu.com/security/CVE-2021-3733

Event History

Aug 10, 2021
CVE Published
12:00 AM
Aug 18, 2021
Data Sourced
via Red Hat·04:33 PM
DescriptionSeverityAffected Software
Mar 7, 2022
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionWeakness
Mar 10, 2022
Data Sourced
via NVD·05:42 PM
RemedyDescriptionSeverityWeaknessAffected Software
Jan 11, 2024
Data Sourced
via Launchpad·11:58 PM
Description
Nov 3, 2025
Data Sourced
via Ubuntu·09:53 PM
RemedyDescriptionSeverityAffected Software
Data Sourced
via Debian·09:55 PM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2021-3733?

CVE-2021-3733 is a vulnerability in urllib's AbstractBasicAuthHandler class that allows an attacker to trigger a Regular Expression Denial of Service (ReDOS) during an authentication request.

2

What can an attacker do with CVE-2021-3733?

An attacker who controls a malicious HTTP server can exploit CVE-2021-3733 to launch a ReDOS attack on an HTTP client (e.g., web browser).

3

How severe is CVE-2021-3733?

CVE-2021-3733 has a severity rating of 6.5, which is considered medium.

4

Which software versions are affected by CVE-2021-3733?

CVE-2021-3733 affects Python versions 3.6.14, 3.7.11, 3.8.10, and 3.9.5, as well as other related packages.

5

How can I mitigate CVE-2021-3733?

To mitigate CVE-2021-3733, it is recommended to update to the fixed versions of Python and related packages provided by Red Hat.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203