CVE-2020-29651Improper Input Validation in PY

CWE-20Improper Input ValidationCWE-400Uncontrolled Resource Consumption9 documents8 sources
Severity
7.5HIGHNVD
EPSS
0.8%
top 26.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Pytest PYFedoraproject FedoraOracle ZFS Storage Appliance KIT
Timeline
PublishedDec 9
Latest updateNov 10

Description

A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

PyPIpytest/py< 1.10.0
NVDpytest/py1.9.0

Also affects: Fedora 32, 33

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
py vulnerable to Regular Expression Denial of Service2021-04-20
GHSA
py vulnerable to Regular Expression Denial of Service2021-04-20
CVEList
CVE-2020-29651: A denial of service via regular expression in the py2020-12-09
OSV
CVE-2020-29651: A denial of service via regular expression in the py2020-12-09

📋Vendor Advisories

4
Ubuntu
python-py vulnerability2021-11-10
Microsoft
A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying m2020-12-08
Red Hat
python-py: ReDoS in the py.path.svnwc component via mailicious input to blame functionality2020-09-03
Debian
CVE-2020-29651: pypy3 - A denial of service via regular expression in the py.path.svnwc component of py ...2020
CVE-2020-29651 — Improper Input Validation in Pytest PY | cvebase