Описание
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
An uncontrolled resource consumption flaw as found in python-httplib2, due to a flawed regular expression used while parsing the WWW-Authenticate header in an HTTP response. This flaw allows a malicious or compromised server to reply with a crafted sequence of characters in the WWW-Authenticate header, leading to a denial of service of the httplib2 client accessing the server. The highest threat from this vulnerability is to system availability.
Отчет
This flaw has been rated as having a security impact of Low, because it requires a malicious or compromised server in order to be exploited, and it only affects the HTTP client. In Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP 13 python-httplib2 package.
Меры по смягчению последствий
Use strict mode to parse WWW-Authenticate headers. This can be done by setting httplib2.USE_WWW_AUTH_STRICT_PARSING = True. Please note, however, that strict mode might lead to bad results in case of ill-formed header values.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 2 | python-httplib2 | Out of support scope | ||
| Red Hat Enterprise Linux 7 | fence-agents | Out of support scope | ||
| Red Hat Enterprise Linux 8 | python-httplib2 | Fix deferred | ||
| Red Hat Enterprise Linux 9 | python-httplib2 | Not affected | ||
| Red Hat OpenStack Platform 10 (Newton) | python-httplib2 | Out of support scope | ||
| Red Hat OpenStack Platform 13 (Queens) | python-httplib2 | Will not fix | ||
| Red Hat Storage 3 | python-httplib2 | Affected | ||
| Red Hat Update Infrastructure 3 for Cloud Providers | python-httplib2 | Fix deferred | ||
| Red Hat OpenStack Platform 16.1 | python-httplib2 | Fixed | RHSA-2021:2116 | 26.05.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
httplib2 is a comprehensive HTTP client library for Python. In httplib ...
Regular Expression Denial of Service (REDoS) in httplib2
Уязвимость клиентской библиотеки HTTP httplib2, связанная с некотролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3