Resource management error in python3 (Alpine package)

1) Resource management error

EUVDB-ID: #VU25631

Risk: Medium

CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2020-8492

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in urllib.request.AbstractBasicAuthHandler when processing HTTP responses. A remote attacker who controls a HTTP server can send a specially crafted HTTP response to the client application and conduct Regular Expression Denial of Service (ReDoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

python3 (Alpine package): 3.5.1-r0 - 3.8.2-r0

CPE2.3

• cpe:2.3:a:alpine:python3_alpine_package:3.5.1-r0:*:*:*:*:alpine_linux:*:3.3
• cpe:2.3:a:alpine:python3_alpine_package:3.5.6-r0:*:*:*:*:alpine_linux:*:3.5
• cpe:2.3:a:alpine:python3_alpine_package:3.6.5-r0:*:*:*:*:alpine_linux:*:3.5

External links

https://git.alpinelinux.org/aports/commit/?id=17f08ccad8155759775705c3ce0f8ef82a912877
https://git.alpinelinux.org/aports/commit/?id=05546ebd50da460f3e53d4c8df34747c56e47459
https://git.alpinelinux.org/aports/commit/?id=5fbbd588ac1a7f3a4d779fe13c37b9ab4d65e259
https://git.alpinelinux.org/aports/commit/?id=fa2e9ccaee464ee4185696c4ac889805f3814783
https://git.alpinelinux.org/aports/commit/?id=3d60659100e95bd6d05aaceaef7aa2a1410107d8
https://git.alpinelinux.org/aports/commit/?id=8135de912b23c9bd9649fa7b6a59ec455529b7af

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.