Python -- Regular Expression DoS attack against client

2019-11-1700:00:00

vuxml.freebsd.org

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

0.008 Low

EPSS

Percentile

81.8%

JSON

Ben Caller and Matt Schwager reports:

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7
through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct
Regular Expression Denial of Service (ReDoS) attacks against a client
because of urllib.request.AbstractBasicAuthHandler catastrophic
backtracking.

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchpython38< 3.8.3UNKNOWN
FreeBSDanynoarchpython37<= 3.7.7UNKNOWN
FreeBSDanynoarchpython36< 3.6.10UNKNOWN
FreeBSDanynoarchpython35<= 3.5.9_4UNKNOWN
FreeBSDanynoarchpython27< 2.7.18UNKNOWN

OS	Version	Architecture	Package	Version	Filename
FreeBSD	any	noarch	python38	< 3.8.3	UNKNOWN
FreeBSD	any	noarch	python37	<= 3.7.7	UNKNOWN
FreeBSD	any	noarch	python36	< 3.6.10	UNKNOWN
FreeBSD	any	noarch	python35	<= 3.5.9_4	UNKNOWN
FreeBSD	any	noarch	python27	< 2.7.18	UNKNOWN