CVE-2020-7212

CWE-400Uncontrolled Resource ConsumptionCWE-20Improper Input ValidationCWE-190Integer OverflowCWE-476NULL Pointer Dereference12 documents7 sources
Severity
7.5HIGH
EPSS
0.7%
top 28.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Python Urllib3
Timeline
PublishedMar 6
Latest updateApr 30

Description

The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings w

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

Debianpython-urllib3< 1.25.8-1+3
NVDpython/urllib31.25.21.25.7
PyPIurllib31.25.21.25.8

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Uncontrolled Resource Consumption in urllib32021-04-30
GHSA
Uncontrolled Resource Consumption in urllib32021-04-30
OSV
CVE-2020-7212: The _encode_invalid_chars function in util/url2020-03-06
CVEList
CVE-2020-7212: The _encode_invalid_chars function in util/url2020-03-06

📋Vendor Advisories

5
Red Hat
kernel: Improper input validation in some Intel(R) Graphics Drivers2021-02-17
Red Hat
kernel: Integer overflow in Intel(R) Graphics Drivers2021-02-17
Red Hat
kernel: Null pointer dereference in some Intel(R) Graphics Drivers2021-02-17
Red Hat
python-urllib3: inefficient algorithm allows a DoS (CPU consumption) in _encode_invalid_chars function in util/url.py2020-03-06
Debian
CVE-2020-7212: python-urllib3 - The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 ...2020

💬Community

2
Bugzilla
CVE-2020-7212 python-urllib3: inefficient algorithm allows a DoS (CPU consumption) in _encode_invalid_chars function in util/url.py [fedora-all]2020-03-10
Bugzilla
CVE-2020-7212 python-urllib3: inefficient algorithm allows a DoS (CPU consumption) in _encode_invalid_chars function in util/url.py2020-03-10
CVE-2020-7212 (HIGH CVSS 7.5) | The _encode_invalid_chars function | cvebase.io