Description

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

References

https://github.com/python/cpython/pull/18284

https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html

https://bugs.python.org/issue39503

https://security.netapp.com/advisory/ntap-20200221-0001/

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html

https://usn.ubuntu.com/4333-1/

https://usn.ubuntu.com/4333-2/

https://security.gentoo.org/glsa/202005-09

https://lists.fedoraproject.org/archives/list/[email protected]/message/APGWEMYZIY5VHLCSZ3HD67PA5Z2UQFGH/

https://lists.fedoraproject.org/archives/list/[email protected]/message/7WOKDEXLYW5UQ4S7PA7E37IITOC7C56J/

https://lists.fedoraproject.org/archives/list/[email protected]/message/UESGYI5XDAHJBATEZN3MHNDUBDH47AS6/

https://lists.fedoraproject.org/archives/list/package-announce[email protected]/message/A5NSAX4SC3V64PGZUPH7PRDLSON34Q5A/

https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html

https://lists.apache.org/thread.html/[email protected]%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.cassandra.apache.org%3E

Details

Risk Information

CVSS v2

CVSS v3