urllib basic auth regex denial of service

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression (catastrophic backtracking) which can be exploited by an attacker to cause a denial of service.

See also https://bugs.python.org/issue43075

Dates:

  • Disclosure date: 2019-11-17 (Python issue bpo-38826 reported)
  • Reported at: 2019-11-17 (bpo-38826)
  • Reported by: Ben Caller and Matt Schwager

Fixed In

Python issue

Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler.

  • Python issue: bpo-38826
  • Creation date: 2019-11-17
  • Reporter: Ben Caller

CVE-2020-8492

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Timeline

Timeline using the disclosure date 2019-11-17 as reference: