First published: Fri Dec 17 2021(Updated: )
It was discovered that the urllib.request.AbstractBasicAuthHandler class in Python contains regex allowing for catastrophic backtracking. Specially crafted traffic from a malicious HTTP server could cause a regular expression denial of service (ReDoS) condition for a client. (CVE-2020-8492) It was discovered that the urllib.request.AbstractBasicAuthHandler class in Python contains regex with a quadratic worst-case time complexity. Specially crafted traffic from a malicious HTTP server could cause a regular expression denial of service (ReDoS) condition for a client. (CVE-2021-3733) It was discovered that the Python urllib http client could enter into an infinite loop when incorrectly handling certain server responses (100 Continue response). Specially crafted traffic from a malicious HTTP server could cause a denial of service (DoS) condition for a client. (CVE-2021-3737)
Affected Software | Affected Version | How to fix |
---|---|---|
All of | ||
ubuntu/python3.7-minimal | <3.7.5-2ubuntu1~18.04.2 | 3.7.5-2ubuntu1~18.04.2 |
Ubuntu Ubuntu | =18.04 | |
All of | ||
ubuntu/libpython3.8-stdlib | <3.8.0-3ubuntu1~18.04.2 | 3.8.0-3ubuntu1~18.04.2 |
Ubuntu Ubuntu | =18.04 | |
All of | ||
ubuntu/libpython3.7-stdlib | <3.7.5-2ubuntu1~18.04.2 | 3.7.5-2ubuntu1~18.04.2 |
Ubuntu Ubuntu | =18.04 | |
All of | ||
ubuntu/python3.7 | <3.7.5-2ubuntu1~18.04.2 | 3.7.5-2ubuntu1~18.04.2 |
Ubuntu Ubuntu | =18.04 | |
All of | ||
ubuntu/python3.8 | <3.8.0-3ubuntu1~18.04.2 | 3.8.0-3ubuntu1~18.04.2 |
Ubuntu Ubuntu | =18.04 | |
All of | ||
ubuntu/python3.8-minimal | <3.8.0-3ubuntu1~18.04.2 | 3.8.0-3ubuntu1~18.04.2 |
Ubuntu Ubuntu | =18.04 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Contains the following vulnerabilities)
The severity of CVE-2020-8492 is low.
CVE-2020-8492 affects the urllib.request.AbstractBasicAuthHandler class in Python.
The remedy for CVE-2020-8492 is to upgrade to python3.7-minimal version 3.7.5-2ubuntu1~18.04.2 or later.
The severity of CVE-2021-3733 is high.
CVE-2021-3733 affects the urllib.request module in Python.
The remedy for CVE-2021-3733 is to upgrade to python3.7-minimal version 3.7.5-2ubuntu1~18.04.2 or later.
The severity of CVE-2021-3737 is low.
CVE-2021-3737 affects the urllib.request module in Python.
The remedy for CVE-2021-3737 is to upgrade to python3.7-minimal version 3.7.5-2ubuntu1~18.04.2 or later.