CVE-2021-32837

Description

mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service (ReDoS) prior to version 0.4.6. If a web server responds in a malicious way, then mechanize could crash. Version 0.4.6 has a patch for the issue.

How to fix CVE-2021-32837

To remediate CVE-2021-32837, upgrade the affected package to a fixed version below.

• —upgrade to 1:0.4.5-2+deb11u1 or later
• —upgrade to 1:0.2.5-3+deb10u1 or later
• —upgrade to 1:0.4.5-2+deb11u1 or later
• —upgrade to 0.4.6 or later
• —upgrade to dd05334448e9f39814bab044d2eaa5ef69b410d6 or later

Is CVE-2021-32837 being exploited?

Low — EPSS is 1.9%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 1:0.4.5-2+deb11u1
• from 0, < 1:0.2.5-3+deb10u1
• from 0, < 1:0.4.5-2+deb11u1
• from 0, < 0.4.6
• from 0, < dd05334448e9f39814bab044d2eaa5ef69b410d6 | from 0, < 0.4.6

CVSS scores

References (12)

• ADVISORYgithub.com/advisories/GHSA-g3pv-pj5f-3hfq
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-32837
• ADVISORYsecuritylab.github.com/advisories/GHSL-2021-108-python-mechanize-mechanize
• ADVISORYsecuritylab.github.com/advisories/GHSL-2021-108-python-mechanize-mechanize/