Miggo Logo
Miggo Vulnerability Database
CVE-2021-32837

CVE-2021-32837: mechanize Regular Expression Denial of Service vulnerability

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-32837
GHSA ID
GHSA-g3pv-pj5f-3hfq
EPSS Score
0.88099%
CWE
CWE-1333
Published
1/18/2023
Updated
9/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mechanizepip< 0.4.60.4.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from an inefficient regex pattern in AbstractBasicAuthHandler's authentication header parsing. The commit dd05334 explicitly replaced this regex with a more efficient version from Python 3.9's urllib, and added tests verifying rejection of malicious inputs like ',,,,,,...'. The regex's structure (particularly the '(?:.,)' portion) made it susceptible to ReDoS when processing headers with many unprocessed comma separators, as demonstrated in the test case.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

m****niz*, * li*r*ry *or *utom*ti**lly int*r**tin* wit* *TTP w** s*rv*rs, *ont*ins * r**ul*r *xpr*ssion t**t is vuln*r**l* to r**ul*r *xpr*ssion **ni*l o* s*rvi** (R**oS) prior to v*rsion *.*.*. I* * w** s*rv*r r*spon*s in * m*li*ious w*y, t**n m****

Reasoning

T** vuln*r**ility st*mm** *rom *n in***i*i*nt r***x p*tt*rn in **str**t**si**ut***n*l*r's *ut**nti**tion *****r p*rsin*. T** *ommit ******* *xpli*itly r*pl**** t*is r***x wit* * mor* ***i*i*nt v*rsion *rom Pyt*on *.*'s urlli*, *n* ***** t*sts v*ri*yi