Vulnerability Details : CVE-2020-8492
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
Vulnerability category: Denial of service
Products affected by CVE-2020-8492
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Threat overview for CVE-2020-8492
Top countries where our scanners detected CVE-2020-8492
Top open port discovered on systems with this issue
80
IPs affected by CVE-2020-8492 222,303
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2020-8492!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2020-8492
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-8492
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.1
|
HIGH | AV:N/AC:M/Au:N/C:N/I:N/A:C |
8.6
|
6.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2020-8492
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-8492
-
https://security.netapp.com/advisory/ntap-20200221-0001/
CVE-2020-8492 Python Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UESGYI5XDAHJBATEZN3MHNDUBDH47AS6/
[SECURITY] Fedora 32 Update: python36-3.6.11-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html
[security-announce] openSUSE-SU-2020:0274-1: moderate: Security update fThird Party Advisory
-
https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html
urllib basic auth regex denial of service — Python Security 0.0 documentationExploit;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5NSAX4SC3V64PGZUPH7PRDLSON34Q5A/
[SECURITY] Fedora 31 Update: python36-3.6.11-1.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://usn.ubuntu.com/4333-2/
USN-4333-2: Python vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
[SECURITY] [DLA 3432-1] python2.7 security update
-
https://github.com/python/cpython/pull/18284
bpo-39503: Fix urllib basic auth regex by vstinner · Pull Request #18284 · python/cpython · GitHubPatch;Third Party Advisory
-
https://lists.apache.org/thread.html/rdb31a608dd6758c6093fd645aea3fbf022dd25b37109b6aaea5bc0b5@%3Ccommits.cassandra.apache.org%3E
[jira] [Created] (CASSANDRA-16857) Security vulnerability CVE-2020-8492 - Pony MailMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APGWEMYZIY5VHLCSZ3HD67PA5Z2UQFGH/
[SECURITY] Fedora 32 Update: python3-3.8.3-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/rfec113c733162b39633fd86a2d0f34bf42ac35f711b3ec1835c774da@%3Ccommits.cassandra.apache.org%3E
[jira] [Updated] (CASSANDRA-16857) Security vulnerability CVE-2020-8492 - Pony MailMailing List;Third Party Advisory
-
https://usn.ubuntu.com/4333-1/
USN-4333-1: Python vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://bugs.python.org/issue39503
Issue 39503: [security] Denial of service in urllib.request.AbstractBasicAuthHandler - Python trackerIssue Tracking;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7WOKDEXLYW5UQ4S7PA7E37IITOC7C56J/
[SECURITY] Fedora 31 Update: python38-3.8.3-1.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202005-09
Python: Denial of Service (GLSA 202005-09) — Gentoo securityThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
[SECURITY] [DLA 2280-1] python3.5 security updateMailing List;Third Party Advisory
Jump to