VDB
BIT-python-2020-8492
BIT-python-2020-8492
PUBLISHED
CVSS 6.5 MEDIUM
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
Risk Scores
CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | python | 2.7.0, 3.5.0, 3.6.0 |
Exploit Intelligence
- zephyr-crosstool-arm-grype.html (github-poc)
Timeline
- Mar 6, 2024 CVE Published
- Aug 11, 2025 CVE Updated
References
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html url
- https://bugs.python.org/issue39503 url
- https://github.com/python/cpython/pull/18284 url
- https://lists.apache.org/thread.html/rdb31a608dd6758c6093fd645aea3fbf022dd25b37109b6aaea5bc0b5%40%3Ccommits.cassandra.apache.org%3E url
- https://lists.apache.org/thread.html/rfec113c733162b39633fd86a2d0f34bf42ac35f711b3ec1835c774da%40%3Ccommits.cassandra.apache.org%3E url
- https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html url
- https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WOKDEXLYW5UQ4S7PA7E37IITOC7C56J/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5NSAX4SC3V64PGZUPH7PRDLSON34Q5A/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APGWEMYZIY5VHLCSZ3HD67PA5Z2UQFGH/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UESGYI5XDAHJBATEZN3MHNDUBDH47AS6/ url
- https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html url
- https://security.gentoo.org/glsa/202005-09 url
- https://security.netapp.com/advisory/ntap-20200221-0001/ url
- https://usn.ubuntu.com/4333-1/ url
- https://usn.ubuntu.com/4333-2/ url
- https://nvd.nist.gov/vuln/detail/CVE-2020-8492 url