CVE-2020-8492

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

References

https://github.com/python/cpython/pull/18284

https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html

https://bugs.python.org/issue39503

https://security.netapp.com/advisory/ntap-20200221-0001/

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html

https://usn.ubuntu.com/4333-1/

https://usn.ubuntu.com/4333-2/

https://security.gentoo.org/glsa/202005-09

https://lists.fedoraproject.org/archives/list/[email protected]/message/APGWEMYZIY5VHLCSZ3HD67PA5Z2UQFGH/

https://lists.fedoraproject.org/archives/list/[email protected]/message/7WOKDEXLYW5UQ4S7PA7E37IITOC7C56J/

https://lists.fedoraproject.org/archives/list/[email protected]/message/UESGYI5XDAHJBATEZN3MHNDUBDH47AS6/

https://lists.fedoraproject.org/archives/list/[email protected]/message/A5NSAX4SC3V64PGZUPH7PRDLSON34Q5A/

https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html

https://lists.apache.org/thread.html/[email protected]%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.cassandra.apache.org%3E

Details

Source: MITRE

Published: 2020-01-30

Updated: 2021-09-16

Type: CWE-400

Risk Information

CVSS v2

Base Score: 7.1

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C

Impact Score: 6.9

Exploitability Score: 8.6

Severity: HIGH

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 2.8

Severity: MEDIUM

Tenable Plugins

View all (54 total)

IDNameProductFamilySeverity
150511SUSE SLES11 Security Update : python (SUSE-SU-2020:14306-1)NessusSuSE Local Security Checks
medium
150311FreeBSD : tauthon -- Regular Expression Denial of Service (c7855866-c511-11eb-ae1d-b42e991fc52e)NessusFreeBSD Local Security Checks
medium
148008Ubuntu 18.04 LTS / 20.04 LTS : Python vulnerabilities (USN-4754-3)NessusUbuntu Local Security Checks
critical
147364NewStart CGSL MAIN 6.02 : python3 Multiple Vulnerabilities (NS-SA-2021-0059)NessusNewStart CGSL Local Security Checks
medium
147302NewStart CGSL CORE 5.04 / MAIN 5.04 : python3 Multiple Vulnerabilities (NS-SA-2021-0029)NessusNewStart CGSL Local Security Checks
medium
146036CentOS 8 : python38:3.8 (CESA-2020:4641)NessusCentOS Local Security Checks
critical
145883CentOS 8 : python3 (CESA-2020:4433)NessusCentOS Local Security Checks
medium
145389openSUSE Security Update : python3 (openSUSE-2020-2333)NessusSuSE Local Security Checks
critical
145326openSUSE Security Update : python3 (openSUSE-2020-2332)NessusSuSE Local Security Checks
critical
144586SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:3930-1)NessusSuSE Local Security Checks
critical
144443SUSE SLES12 Security Update : python36 (SUSE-SU-2020:3865-1)NessusSuSE Local Security Checks
critical
143646SUSE SLES12 Security Update : python36 (SUSE-SU-2020:3563-1)NessusSuSE Local Security Checks
high
142786Oracle Linux 8 : python3 (ELSA-2020-4433)NessusOracle Linux Local Security Checks
medium
142431RHEL 8 : python38:3.8 (RHSA-2020:4641)NessusRed Hat Local Security Checks
critical
142400RHEL 8 : python3 (RHSA-2020:4433)NessusRed Hat Local Security Checks
medium
141770Scientific Linux Security Update : python3 on SL7.x x86_64 (20201001)NessusScientific Linux Local Security Checks
medium
141631CentOS 7 : python3 (CESA-2020:3888)NessusCentOS Local Security Checks
medium
141218Oracle Linux 7 : python3 (ELSA-2020-3888)NessusOracle Linux Local Security Checks
medium
141029RHEL 7 : python3 (RHSA-2020:3888)NessusRed Hat Local Security Checks
medium
140678FreeBSD : Python -- multiple vulnerabilities (2cb21232-fb32-11ea-a929-a4bf014bf5f7)NessusFreeBSD Local Security Checks
high
139339Amazon Linux 2 : python / python3 (ALAS-2020-1471)NessusAmazon Linux Local Security Checks
medium
139087Amazon Linux AMI : python27 / python34, python35, python36 (ALAS-2020-1407)NessusAmazon Linux Local Security Checks
medium
139086Amazon Linux AMI : python26 (ALAS-2020-1406)NessusAmazon Linux Local Security Checks
medium
138529Debian DLA-2280-1 : python3.5 security updateNessusDebian Local Security Checks
critical
138368Fedora 31 : python36 (2020-ea5bdbcc90)NessusFedora Local Security Checks
medium
138125FreeBSD : Python -- multiple vulnerabilities (33c05d57-bf6e-11ea-ba1e-0800273f78d3)NessusFreeBSD Local Security Checks
medium
138114Fedora 32 : python36 (2020-8bdd3fd7a4)NessusFedora Local Security Checks
medium
137877Photon OS 1.0: Python3 PHSA-2020-1.0-0304NessusPhotonOS Local Security Checks
medium
137580SUSE SLES12 Security Update : python (SUSE-SU-2020:1524-1)NessusSuSE Local Security Checks
medium
137488EulerOS 2.0 SP2 : python (EulerOS-SA-2020-1646)NessusHuawei Local Security Checks
critical
137118Fedora 32 : python3 (2020-98e0f0f11b)NessusFedora Local Security Checks
medium
137089Amazon Linux 2 : python (ALAS-2020-1432)NessusAmazon Linux Local Security Checks
medium
136954Fedora 31 : python38 (2020-6a88dad4a0)NessusFedora Local Security Checks
medium
136639GLSA-202005-09 : Python: Denial of serviceNessusGentoo Local Security Checks
medium
136281Ubuntu 20.04 : Python vulnerabilities (USN-4333-2)NessusUbuntu Local Security Checks
medium
136219EulerOS Virtualization for ARM 64 3.0.2.0 : python (EulerOS-SA-2020-1516)NessusHuawei Local Security Checks
critical
135944FreeBSD : Python -- Regular Expression DoS attack against client (a27b0bb6-84fc-11ea-b5b4-641c67a117d8)NessusFreeBSD Local Security Checks
medium
135894Ubuntu 16.04 LTS / 18.04 LTS / 19.10 : Python vulnerabilities (USN-4333-1)NessusUbuntu Local Security Checks
medium
135785Photon OS 3.0: Python3 PHSA-2020-3.0-0078NessusPhotonOS Local Security Checks
medium
135784Photon OS 3.0: Python2 PHSA-2020-3.0-0078NessusPhotonOS Local Security Checks
medium
135634EulerOS Virtualization 3.0.2.2 : python (EulerOS-SA-2020-1472)NessusHuawei Local Security Checks
critical
135556EulerOS 2.0 SP3 : python (EulerOS-SA-2020-1427)NessusHuawei Local Security Checks
critical
135492Photon OS 1.0: Python2 PHSA-2020-1.0-0288NessusPhotonOS Local Security Checks
medium
135299Photon OS 2.0: Python3 PHSA-2020-2.0-0226NessusPhotonOS Local Security Checks
medium
135197SUSE SLES12 Security Update : python3 (SUSE-SU-2020:0854-1)NessusSuSE Local Security Checks
medium
135133EulerOS Virtualization for ARM 64 3.0.6.0 : python3 (EulerOS-SA-2020-1346)NessusHuawei Local Security Checks
medium
135131EulerOS Virtualization for ARM 64 3.0.6.0 : python2 (EulerOS-SA-2020-1344)NessusHuawei Local Security Checks
medium
134812EulerOS 2.0 SP5 : python (EulerOS-SA-2020-1321)NessusHuawei Local Security Checks
medium
134788EulerOS 2.0 SP8 : python3 (EulerOS-SA-2020-1296)NessusHuawei Local Security Checks
medium
134787EulerOS 2.0 SP8 : python2 (EulerOS-SA-2020-1295)NessusHuawei Local Security Checks
medium
134286SUSE SLES12 Security Update : python36 (SUSE-SU-2020:0557-1)NessusSuSE Local Security Checks
medium
134197openSUSE Security Update : python3 (openSUSE-2020-274)NessusSuSE Local Security Checks
medium
134159SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:0510-1)NessusSuSE Local Security Checks
medium
134081SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:0467-1)NessusSuSE Local Security Checks
medium