CVE-2020-8492
MEDIUMPython 2.7.0-2.7.17 - Regular Expression Denial of Service via urllib.request.AbstractBasicAuthHandler
Title source: llmDescription
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
References (16)
Core 16
Core References
Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html
Third Party Advisory vendor-advisory
https://usn.ubuntu.com/4333-1/
Third Party Advisory vendor-advisory
https://usn.ubuntu.com/4333-2/
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202005-09
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APGWEMYZIY5VHLCSZ3HD67PA5Z2UQFGH/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WOKDEXLYW5UQ4S7PA7E37IITOC7C56J/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UESGYI5XDAHJBATEZN3MHNDUBDH47AS6/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5NSAX4SC3V64PGZUPH7PRDLSON34Q5A/
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
Mailing List mailing-list
https://lists.apache.org/thread.html/rdb31a608dd6758c6093fd645aea3fbf022dd25b37109b6aaea5bc0b5%40%3Ccommits.cassandra.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/rfec113c733162b39633fd86a2d0f34bf42ac35f711b3ec1835c774da%40%3Ccommits.cassandra.apache.org%3E
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
Issue Tracking, Vendor Advisory
https://bugs.python.org/issue39503
Patch, Third Party Advisory
https://github.com/python/cpython/pull/18284
Exploit, Third Party Advisory
https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html
Third Party Advisory
https://security.netapp.com/advisory/ntap-20200221-0001/
Scores
CVSS v3
6.5
EPSS
0.0295
EPSS Percentile
86.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Details
CWE
CWE-400
Status
published
Products (11)
canonical/ubuntu_linux
12.04
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
19.10
canonical/ubuntu_linux
20.04
debian/debian_linux
9.0
fedoraproject/fedora
31
fedoraproject/fedora
32
opensuse/leap
15.1
... and 1 more
Published
Jan 30, 2020
Tracked Since
Feb 18, 2026