urllib basic auth regex denial of service

The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression (catastrophic backtracking) which can be exploited by an attacker to cause a denial of service.

  • Disclosure date: 2019-11-17 (Python issue bpo-38826 reported)
  • Reported at: 2019-11-17 (bpo-38826)
  • Reported by: Ben Caller and Matt Schwager

Vulnerable Versions

  • Python 3.5 (need commit)
  • Python 3.6 (need release)
  • Python 3.7 (need release)
  • Python 3.8 (need release)

Python issue

Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler.

  • Python issue: bpo-38826
  • Creation date: 2019-11-17
  • Reporter: Ben Caller

CVE-2020-8492

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Timeline

Timeline using the disclosure date 2019-11-17 as reference: