#VU25631 Resource management error


Published: 2020-02-26 | Updated: 2020-07-20

Vulnerability identifier: #VU25631

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-8492

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Python
Universal components / Libraries / Scripting languages

Vendor: Python.org

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in urllib.request.AbstractBasicAuthHandler when processing HTTP responses. A remote attacker who controls a HTTP server can send a specially crafted HTTP response to the client application and conduct Regular Expression Denial of Service (ReDoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Python: 2.7.0 - 3.8.2


CPE

External links
http://bugs.python.org/issue39503
http://github.com/python/cpython/pull/18284
http://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html
http://security.netapp.com/advisory/ntap-20200221-0001/


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability