CVE-2020-8492
MEDIUM6.5EPSS 3.0%Published: 1/30/2020Modified: 4/28/2026
Also known as:ALPINE-CVE-2020-8492DEBIAN-CVE-2020-8492
Description
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
Affected packages (5)
- Alpine/python3from 0, < 3.7.7-r0
- Bitnami/libpython>= 2.7.0, < 2.7.18, >= 3.5.0, < 3.5.10, >= 3.6.0, < 3.6.11, >= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.2
- Bitnami/python>= 2.7.0, < 2.7.18, >= 3.5.0, < 3.5.10, >= 3.6.0, < 3.6.11, >= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.2
- Bitnami/python-min>= 2.7.0, < 2.7.18, >= 3.5.0, < 3.5.10, >= 3.6.0, < 3.6.11, >= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.2
- Debian/python2.7from 0, < 2.7.18-2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
References (19)
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2020-8492
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-8492
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html
- WEBhttps://bugs.python.org/issue39503
- WEBhttps://github.com/python/cpython/pull/18284
- WEBhttps://lists.apache.org/thread.html/rdb31a608dd6758c6093fd645aea3fbf022dd25b37109b6aaea5bc0b5%40%3Ccommits.cassandra.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/rfec113c733162b39633fd86a2d0f34bf42ac35f711b3ec1835c774da%40%3Ccommits.cassandra.apache.org%3E
- WEBhttps://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
- WEBhttps://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WOKDEXLYW5UQ4S7PA7E37IITOC7C56J/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5NSAX4SC3V64PGZUPH7PRDLSON34Q5A/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APGWEMYZIY5VHLCSZ3HD67PA5Z2UQFGH/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UESGYI5XDAHJBATEZN3MHNDUBDH47AS6/
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2020-8492
- WEBhttps://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html
- WEBhttps://security.gentoo.org/glsa/202005-09
- WEBhttps://security.netapp.com/advisory/ntap-20200221-0001/
- WEBhttps://usn.ubuntu.com/4333-1/
- WEBhttps://usn.ubuntu.com/4333-2/