CVE-2020-8492 — Uncontrolled Resource Consumption in Python
Severity
6.5MEDIUMNVD
OSV7.6OSV7.5OSV6.1
EPSS
3.5%
top 12.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 30
Latest updateJul 11
Description
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6
Affected Packages3 packages
Also affects: Debian Linux 9.0, Fedora 31, 32, Ubuntu Linux 12.04, 14.04, 16.04, 18.04, 19.10, 20.04
Patches
🔴Vulnerability Details
7OSV▶
python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12 vulnerabilities↗2024-07-11
📋Vendor Advisories
8💬Community
9Bugzilla▶
CVE-2020-8492 python36: python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS [fedora-all]↗2020-03-02
Bugzilla▶
CVE-2020-8492 python36: python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS [epel-7]↗2020-03-02
Bugzilla▶
CVE-2020-8492 python3: python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS [fedora-all]↗2020-03-02
Bugzilla▶
CVE-2020-8492 python34: python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS [epel-all]↗2020-03-02
Bugzilla▶
CVE-2020-8492 python2: python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS [fedora-all]↗2020-03-02