Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
| Platform | Package | Release Date | Advisory |
|---|---|---|---|
| Amazon Linux 2 - Core | python | 2020-07-31 19:22 | ALAS2-2020-1471 |
| Amazon Linux 2 - Core | python | 2020-06-01 22:38 | ALAS2-2020-1432 |
| Amazon Linux 1 | python26 | 2020-07-27 23:54 | ALAS-2020-1406 |
| Amazon Linux 1 | python27 | 2020-07-27 23:54 | ALAS-2020-1407 |
| Amazon Linux 2 - Core | python3 | 2020-07-31 19:22 | ALAS2-2020-1471 |
| Amazon Linux 1 | python34 | 2020-07-27 23:54 | ALAS-2020-1407 |
| Amazon Linux 1 | python35 | 2020-07-27 23:54 | ALAS-2020-1407 |
| Amazon Linux 1 | python36 | 2020-07-27 23:54 | ALAS-2020-1407 |
| Amazon Linux 2 - Python3.8 Extra | python38 | 2023-08-21 21:00 | ALAS2PYTHON3.8-2023-006 |
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
| NVD | CVSSv2 | 7.1 | AV:N/AC:M/Au:N/C:N/I:N/A:C |
| NVD | CVSSv3 | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
