Описание
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
Отчет
Applications that use AbstractBasicAuthHandler, HTTPBasicAuthHandler and ProxyBasicAuthHandler may be affected by this flaw. Other classes may use the vulnerable method http_error_auth_reqed in AbstractBasicAuthHandler as well. This flaw is out of support scope for versions of Python shipped in Red Hat Enterprise Linux 7 base OS and Red Hat Enterprise Linux 6. For more information about support life cycles, please see https://access.redhat.com/support/policy/updates/errata/
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | python | Out of support scope | ||
| Red Hat Enterprise Linux 7 | python | Out of support scope | ||
| Red Hat Enterprise Linux 7 | python3 | Out of support scope | ||
| Red Hat Enterprise Linux 8 | python36:3.6/python36 | Affected | ||
| Red Hat Enterprise Linux 8 | python3 | Fixed | RHSA-2021:4057 | 02.11.2021 |
| Red Hat Enterprise Linux 8 | python39 | Fixed | RHSA-2021:4160 | 09.11.2021 |
| Red Hat Enterprise Linux 8 | python39-devel | Fixed | RHSA-2021:4160 | 09.11.2021 |
| Red Hat Enterprise Linux 8 | python38 | Fixed | RHSA-2022:1764 | 10.05.2022 |
| Red Hat Enterprise Linux 8 | python38-devel | Fixed | RHSA-2022:1764 | 10.05.2022 |
| Red Hat Enterprise Linux 8 | python27 | Fixed | RHSA-2022:1821 | 10.05.2022 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
6.5 Medium
CVSS3
Связанные уязвимости
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker ...
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
6.5 Medium
CVSS3