Lucene search

K
amazonAmazonALAS2-2020-1471
HistoryJul 31, 2020 - 7:22 p.m.

Medium: python, python3

2020-07-3119:22:00
alas.aws.amazon.com
32

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

0.003 Low

EPSS

Percentile

64.4%

Issue Overview:

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. (CVE-2020-8492)

Affected Packages:

python, python3

Issue Correction:
Run yum update python to update your system.
Run yum update python3 to update your system.

New Packages:

aarch64:  
    python-2.7.18-1.amzn2.0.1.aarch64  
    python-libs-2.7.18-1.amzn2.0.1.aarch64  
    python-devel-2.7.18-1.amzn2.0.1.aarch64  
    python-tools-2.7.18-1.amzn2.0.1.aarch64  
    tkinter-2.7.18-1.amzn2.0.1.aarch64  
    python-test-2.7.18-1.amzn2.0.1.aarch64  
    python-debug-2.7.18-1.amzn2.0.1.aarch64  
    python-debuginfo-2.7.18-1.amzn2.0.1.aarch64  
    python3-3.7.8-1.amzn2.0.1.aarch64  
    python3-libs-3.7.8-1.amzn2.0.1.aarch64  
    python3-devel-3.7.8-1.amzn2.0.1.aarch64  
    python3-tools-3.7.8-1.amzn2.0.1.aarch64  
    python3-tkinter-3.7.8-1.amzn2.0.1.aarch64  
    python3-test-3.7.8-1.amzn2.0.1.aarch64  
    python3-debug-3.7.8-1.amzn2.0.1.aarch64  
    python3-debuginfo-3.7.8-1.amzn2.0.1.aarch64  
  
i686:  
    python-2.7.18-1.amzn2.0.1.i686  
    python-libs-2.7.18-1.amzn2.0.1.i686  
    python-devel-2.7.18-1.amzn2.0.1.i686  
    python-tools-2.7.18-1.amzn2.0.1.i686  
    tkinter-2.7.18-1.amzn2.0.1.i686  
    python-test-2.7.18-1.amzn2.0.1.i686  
    python-debug-2.7.18-1.amzn2.0.1.i686  
    python-debuginfo-2.7.18-1.amzn2.0.1.i686  
    python3-3.7.8-1.amzn2.0.1.i686  
    python3-libs-3.7.8-1.amzn2.0.1.i686  
    python3-devel-3.7.8-1.amzn2.0.1.i686  
    python3-tools-3.7.8-1.amzn2.0.1.i686  
    python3-tkinter-3.7.8-1.amzn2.0.1.i686  
    python3-test-3.7.8-1.amzn2.0.1.i686  
    python3-debug-3.7.8-1.amzn2.0.1.i686  
    python3-debuginfo-3.7.8-1.amzn2.0.1.i686  
  
src:  
    python-2.7.18-1.amzn2.0.1.src  
    python3-3.7.8-1.amzn2.0.1.src  
  
x86_64:  
    python-2.7.18-1.amzn2.0.1.x86_64  
    python-libs-2.7.18-1.amzn2.0.1.x86_64  
    python-devel-2.7.18-1.amzn2.0.1.x86_64  
    python-tools-2.7.18-1.amzn2.0.1.x86_64  
    tkinter-2.7.18-1.amzn2.0.1.x86_64  
    python-test-2.7.18-1.amzn2.0.1.x86_64  
    python-debug-2.7.18-1.amzn2.0.1.x86_64  
    python-debuginfo-2.7.18-1.amzn2.0.1.x86_64  
    python3-3.7.8-1.amzn2.0.1.x86_64  
    python3-libs-3.7.8-1.amzn2.0.1.x86_64  
    python3-devel-3.7.8-1.amzn2.0.1.x86_64  
    python3-tools-3.7.8-1.amzn2.0.1.x86_64  
    python3-tkinter-3.7.8-1.amzn2.0.1.x86_64  
    python3-test-3.7.8-1.amzn2.0.1.x86_64  
    python3-debug-3.7.8-1.amzn2.0.1.x86_64  
    python3-debuginfo-3.7.8-1.amzn2.0.1.x86_64  

Additional References

Red Hat: CVE-2020-8492

Mitre: CVE-2020-8492

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

0.003 Low

EPSS

Percentile

64.4%

Related for ALAS2-2020-1471