CVE-2020-8492

MEDIUM

Python <3.9 - ReDoS

Title source: llm

Description

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

References (16)

[Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html

[Issue Tracking, Vendor Advisory] https://bugs.python.org/issue39503

[Patch, Third Party Advisory] https://github.com/python/cpython/pull/18284

[Mailing List] https://lists.apache.org/thread.html/rdb31a608dd6758c6093fd645aea3fbf022dd25b37109b6aaea5bc0b5%40%3Ccommits.cassandra.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rfec113c733162b39633fd86a2d0f34bf42ac35f711b3ec1835c774da%40%3Ccommits.cassandra.apache.org%3E

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html

[Mailing List] https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html

[Exploit, Third Party Advisory] https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html

[Third Party Advisory] https://security.gentoo.org/glsa/202005-09

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20200221-0001/

[Third Party Advisory] https://usn.ubuntu.com/4333-1/

[Third Party Advisory] https://usn.ubuntu.com/4333-2/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WOKDEXLYW5UQ4S7PA7E37IITOC7C56J/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5NSAX4SC3V64PGZUPH7PRDLSON34Q5A/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APGWEMYZIY5VHLCSZ3HD67PA5Z2UQFGH/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UESGYI5XDAHJBATEZN3MHNDUBDH47AS6/

Scores

CVSS v3 6.5

EPSS 0.0351

EPSS Percentile 87.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Classification

CWE

CWE-400

Status published

Affected Products (11)

python/python < 2.7.17

opensuse/leap

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

fedoraproject/fedora

fedoraproject/fedora

debian/debian_linux

Timeline

Published Jan 30, 2020

Tracked Since Feb 18, 2026