Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
https://github.com/python/cpython/pull/18284
https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html
https://bugs.python.org/issue39503
https://security.netapp.com/advisory/ntap-20200221-0001/
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html
https://usn.ubuntu.com/4333-1/
https://usn.ubuntu.com/4333-2/
https://security.gentoo.org/glsa/202005-09
https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
https://lists.apache.org/thread.html/[email protected]%3Ccommits.cassandra.apache.org%3E
Source: MITRE
Published: 2020-01-30
Updated: 2021-09-16
Type: CWE-400
Base Score: 7.1
Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C
Impact Score: 6.9
Exploitability Score: 8.6
Severity: HIGH
Base Score: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Impact Score: 3.6
Exploitability Score: 2.8
Severity: MEDIUM