CVE-2020-8492

Name of the Vulnerable Software and Affected Versions Python versions 2.7 through 2.7.17 Python versions 3.5 through 3.5.9 Python versions 3.6 through 3.6.10 Python versions 3.7 through 3.7.6 Python versions 3.8 through 3.8.1

Description The issue is related to an uncontrolled consumption of resources in the Python interpreter. It allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. This can be exploited by a remote attacker to cause a denial of service.

Recommendations For Python versions 2.7 through 2.7.17, consider disabling the urllib.request.AbstractBasicAuthHandler to minimize the risk of exploitation until a patch is available. For Python versions 3.5 through 3.5.9, consider disabling the urllib.request.AbstractBasicAuthHandler to minimize the risk of exploitation until a patch is available. For Python versions 3.6 through 3.6.10, consider disabling the urllib.request.AbstractBasicAuthHandler to minimize the risk of exploitation until a patch is available. For Python versions 3.7 through 3.7.6, consider disabling the urllib.request.AbstractBasicAuthHandler to minimize the risk of exploitation until a patch is available. For Python versions 3.8 through 3.8.1, consider disabling the urllib.request.AbstractBasicAuthHandler to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider restricting access to the vulnerable urllib.request module to minimize the risk of exploitation.