Описание
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).
Отчет
Red Hat Product Security does not consider this to be a vulnerability. The choice of an inefficient algorithm could cause a little more CPU time to be used than the alternative, however the difference in practice is not sufficient to cause a meaningful or even noticeable impact on the application.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | python-urllib3 | Not affected | ||
| Red Hat Enterprise Linux 7 | python-urllib3 | Not affected | ||
| Red Hat Enterprise Linux 8 | python-urllib3 | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | python-urllib3 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | python-urllib3 | Not affected | ||
| Red Hat OpenStack Platform 10 (Newton) | python-urllib3 | Not affected | ||
| Red Hat OpenStack Platform 13 (Queens) | python-urllib3 | Not affected | ||
| Red Hat OpenStack Platform 15 (Stein) | python-urllib3 | Not affected | ||
| Red Hat Quay 3 | python-urllib3 | Not affected | ||
| Red Hat Satellite 6 | python-urllib3 | Not affected |
Показывать по
Дополнительная информация
EPSS
0 Low
CVSS3
Связанные уязвимости
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).
The _encode_invalid_chars function in util/url.py in the urllib3 libra ...
Уязвимость модуля urllib3 интерпретатора языка программирования Python, связанная с неконтролируемым расходом ресурса, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
0 Low
CVSS3