CVE-2020-8492

Опубликовано: 30 янв. 2020

Источник: debian

EPSS Низкий

Описание

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Пакеты

Пакет	Статус	Версия исправления	Релиз	Тип
python3.8	fixed	3.8.3~rc1-1		package
python3.7	removed			package
python3.7	fixed	3.7.3-2+deb10u2	buster	package
python3.5	removed			package
python3.4	removed			package
python3.4	postponed		jessie	package
python2.7	fixed	2.7.18-2		package
python2.7	no-dsa		jessie	package

Примечания

https://bugs.python.org/issue39503
https://github.com/python/cpython/pull/18284
https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html
https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 (master)
https://github.com/python/cpython/commit/ea9e240aa02372440be8024acb110371f69c9d41 (3.8-branch)
https://github.com/python/cpython/commit/b57a73694e26e8b2391731b5ee0b1be59437388e (3.7-branch)
https://github.com/python/cpython/commit/69cdeeb93e0830004a495ed854022425b93b3f3e (3.6-branch)

EPSS

Процентиль: 88%

0.04231

Низкий

Связанные уязвимости

CVE-2020-8492

CVSS3: 6.5

ubuntu

больше 5 лет назад

CVE-2020-8492

CVSS3: 6.5

redhat

больше 5 лет назад

CVE-2020-8492

CVSS3: 6.5

nvd

больше 5 лет назад

SUSE-SU-2020:14306-1

suse-cvrf

больше 5 лет назад

Security update for python

GHSA-wh3w-rqc7-4mpf

CVSS3: 6.5

github

около 3 лет назад

EPSS

Процентиль: 88%

0.04231

Низкий