CVE-2020-8492
- Source
- https://cve.org/CVERecord?id=CVE-2020-8492
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-8492.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-8492
- Aliases
- Downstream
- Related
- Published
- 2020-01-30T19:15:12.103Z
- Modified
- 2026-03-20T11:37:58.883132Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
- References
-
- https://lists.apache.org/thread.html/rfec113c733162b39633fd86a2d0f34bf42ac35f711b3ec1835c774da%40%3Ccommits.cassandra.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5NSAX4SC3V64PGZUPH7PRDLSON34Q5A/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APGWEMYZIY5VHLCSZ3HD67PA5Z2UQFGH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UESGYI5XDAHJBATEZN3MHNDUBDH47AS6/
- https://lists.apache.org/thread.html/rdb31a608dd6758c6093fd645aea3fbf022dd25b37109b6aaea5bc0b5%40%3Ccommits.cassandra.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WOKDEXLYW5UQ4S7PA7E37IITOC7C56J/
- https://security.netapp.com/advisory/ntap-20200221-0001/
- https://security.gentoo.org/glsa/202005-09
- https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
- https://usn.ubuntu.com/4333-1/
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html
- https://usn.ubuntu.com/4333-2/
- https://bugs.python.org/issue39503
- https://github.com/python/cpython/pull/18284
- https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html
Affected packages
Git / github.com/python/cpython
Affected ranges
- Type
- GIT
- Repo
- https://github.com/python/cpython
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroducedLast affectedIntroducedLast affectedIntroducedLast affectedIntroducedLast affected
- Database specific
{ "versions": [ { "introduced": "2.7.0" }, { "last_affected": "2.7.17" }, { "introduced": "3.5.0" }, { "last_affected": "3.5.9" }, { "introduced": "3.6.0" }, { "last_affected": "3.6.10" }, { "introduced": "3.7.0" }, { "last_affected": "3.7.6" }, { "introduced": "3.8.0" }, { "last_affected": "3.8.1" } ] }
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "15.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "18.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "19.10"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "20.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "31"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "32"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-8492.json"