Lucene search

K
amazonAmazonALAS2-2020-1432
HistoryJun 01, 2020 - 10:38 p.m.

Medium: python

2020-06-0122:38:00
alas.aws.amazon.com
24

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

High

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

0.008 Low

EPSS

Percentile

81.7%

Issue Overview:

http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.(CVE-2018-20852)

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.(CVE-2020-8492)

Affected Packages:

python

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update python to update your system.

New Packages:

aarch64:  
    python-2.7.18-1.amzn2.aarch64  
    python-libs-2.7.18-1.amzn2.aarch64  
    python-devel-2.7.18-1.amzn2.aarch64  
    python-tools-2.7.18-1.amzn2.aarch64  
    tkinter-2.7.18-1.amzn2.aarch64  
    python-test-2.7.18-1.amzn2.aarch64  
    python-debug-2.7.18-1.amzn2.aarch64  
    python-debuginfo-2.7.18-1.amzn2.aarch64  
  
i686:  
    python-2.7.18-1.amzn2.i686  
    python-libs-2.7.18-1.amzn2.i686  
    python-devel-2.7.18-1.amzn2.i686  
    python-tools-2.7.18-1.amzn2.i686  
    tkinter-2.7.18-1.amzn2.i686  
    python-test-2.7.18-1.amzn2.i686  
    python-debug-2.7.18-1.amzn2.i686  
    python-debuginfo-2.7.18-1.amzn2.i686  
  
src:  
    python-2.7.18-1.amzn2.src  
  
x86_64:  
    python-2.7.18-1.amzn2.x86_64  
    python-libs-2.7.18-1.amzn2.x86_64  
    python-devel-2.7.18-1.amzn2.x86_64  
    python-tools-2.7.18-1.amzn2.x86_64  
    tkinter-2.7.18-1.amzn2.x86_64  
    python-test-2.7.18-1.amzn2.x86_64  
    python-debug-2.7.18-1.amzn2.x86_64  
    python-debuginfo-2.7.18-1.amzn2.x86_64  

Additional References

Red Hat: CVE-2018-20852, CVE-2020-8492

Mitre: CVE-2018-20852, CVE-2020-8492

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

High

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

0.008 Low

EPSS

Percentile

81.7%

Related for ALAS2-2020-1432