CVE-2020-8492

medium

Description

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

References

https://github.com/python/cpython/pull/18284

https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html

https://bugs.python.org/issue39503

https://security.netapp.com/advisory/ntap-20200221-0001/

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html

https://usn.ubuntu.com/4333-1/

https://usn.ubuntu.com/4333-2/

https://security.gentoo.org/glsa/202005-09

https://lists.fedoraproject.org/archives/list/[email protected]/message/APGWEMYZIY5VHLCSZ3HD67PA5Z2UQFGH/

https://lists.fedoraproject.org/archives/list/[email protected]/message/7WOKDEXLYW5UQ4S7PA7E37IITOC7C56J/

https://lists.fedoraproject.org/archives/list/[email protected]/message/UESGYI5XDAHJBATEZN3MHNDUBDH47AS6/

https://lists.fedoraproject.org/archives/list/[email protected]/message/A5NSAX4SC3V64PGZUPH7PRDLSON34Q5A/

https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html

https://lists.apache.org/thread.html/rdb31a608dd6758c6093fd645aea3fbf022dd25b37109b6aaea5bc0b[email protected]%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.cassandra.apache.org%3E

Details

Source: MITRE

Published: 2020-01-30

Updated: 2021-09-16

Type: CWE-400

Risk Information

CVSS v2

Base Score: 7.1

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C

Impact Score: 6.9

Exploitability Score: 8.6

Severity: HIGH

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 2.8

Severity: MEDIUM