Описание
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
Отчет
Applications that use AbstractBasicAuthHandler, HTTPBasicAuthHandler and ProxyBasicAuthHandler may be affected by this flaw. Other classes may use the vulnerable method http_error_auth_reqed in AbstractBasicAuthHandler as well. Versions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 are marked as notaffected as they just provide "symlinks" to the main python3 component, which provides the actual interpreter of the Python programming language.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | python | Out of support scope | ||
| Red Hat Enterprise Linux 6 | python | Out of support scope | ||
| Red Hat Enterprise Linux 7 | python | Will not fix | ||
| Red Hat Enterprise Linux 8 | python27:2.7/python2 | Will not fix | ||
| Red Hat Enterprise Linux 8 | python36:3.6/python36 | Not affected | ||
| Red Hat Software Collections | python27-python | Will not fix | ||
| Red Hat Software Collections | rh-python38-python | Not affected | ||
| Red Hat Enterprise Linux 7 | python3 | Fixed | RHSA-2020:3888 | 29.09.2020 |
| Red Hat Enterprise Linux 8 | python3 | Fixed | RHSA-2020:4433 | 04.11.2020 |
| Red Hat Enterprise Linux 8 | python38 | Fixed | RHSA-2020:4641 | 04.11.2020 |
Показывать по
Дополнительная информация
Статус:
6.5 Medium
CVSS3
Связанные уязвимости
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 ...
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
6.5 Medium
CVSS3