CVE-2020-8492 — MEDIUM (6.5)

Q: How severe is CVE-2020-8492?

CVE-2020-8492 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-8492?

Check the references section above for vendor advisories and patch information. Affected products include: Python Python, Opensuse Leap, Canonical Ubuntu Linux, Fedoraproject Fedora, Debian Debian Linux.

Vulnerability Description

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Python	Python	>= 2.7.0, <= 2.7.17
Opensuse	Leap	15.1
Canonical	Ubuntu Linux	12.04
Fedoraproject	Fedora	31
Debian	Debian Linux	9.0

Related Weaknesses (CWE)

CWE-400

References

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.htmlThird Party Advisory
https://bugs.python.org/issue39503Issue TrackingVendor Advisory
https://github.com/python/cpython/pull/18284PatchThird Party Advisory
https://lists.apache.org/thread.html/rdb31a608dd6758c6093fd645aea3fbf022dd25b371
https://lists.apache.org/thread.html/rfec113c733162b39633fd86a2d0f34bf42ac35f711
https://lists.debian.org/debian-lts-announce/2020/07/msg00011.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.htmlExploitThird Party Advisory
https://security.gentoo.org/glsa/202005-09Third Party Advisory
https://security.netapp.com/advisory/ntap-20200221-0001/Third Party Advisory
https://usn.ubuntu.com/4333-1/Third Party Advisory

FAQ

What is CVE-2020-8492?

CVE-2020-8492 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against...

How severe is CVE-2020-8492?

CVE-2020-8492 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-8492?

Check the references section above for vendor advisories and patch information. Affected products include: Python Python, Opensuse Leap, Canonical Ubuntu Linux, Fedoraproject Fedora, Debian Debian Linux.