CVE-2020-8492
Published: 30 January 2020
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
Priority
Low
CVSS 3 base score: 6.5
Status
| Package | Release | Status |
|---|---|---|
|
python2.7 Launchpad, Ubuntu, Debian |
bionic |
Released
(2.7.17-1~18.04ubuntu1)
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Released
(2.7.18-1~20.04.1)
|
|
| groovy |
Ignored
(reached end-of-life)
|
|
| hirsute |
Ignored
(reached end-of-life)
|
|
| impish |
Needs triage
|
|
| jammy |
Needs triage
|
|
| precise |
Released
(2.7.3-0ubuntu3.17)
|
|
| trusty |
Released
(2.7.6-8ubuntu0.6+esm5)
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(2.7.12-1ubuntu0~16.04.11)
|
|
|
python3.4 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Released
(3.4.3-1ubuntu1~14.04.7+esm6)
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python3.5 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Needs triage
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(3.5.2-2ubuntu0~16.04.10)
|
|
|
python3.6 Launchpad, Ubuntu, Debian |
bionic |
Released
(3.6.9-1~18.04ubuntu1)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/python/cpython/commit/69cdeeb93e0830004a495ed854022425b93b3f3e |
||
|
python3.7 Launchpad, Ubuntu, Debian |
bionic |
Released
(3.7.5-2ubuntu1~18.04.2)
|
| eoan |
Released
(3.7.5-2~19.10ubuntu1)
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/python/cpython/commit/b57a73694e26e8b2391731b5ee0b1be59437388e |
||
|
python3.8 Launchpad, Ubuntu, Debian |
bionic |
Released
(3.8.0-3ubuntu1~18.04.2)
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Released
(3.8.2-1ubuntu1.1)
|
|
| groovy |
Released
(3.8.2-1ubuntu1.1)
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/python/cpython/commit/ea9e240aa02372440be8024acb110371f69c9d41 |
||
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8492
- https://github.com/python/cpython/pull/18284
- https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html
- https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4
- https://ubuntu.com/security/notices/USN-4333-1
- https://ubuntu.com/security/notices/USN-4333-2
- https://ubuntu.com/security/notices/USN-4754-3
- https://ubuntu.com/security/notices/USN-5200-1
- NVD
- Launchpad
- Debian