Updated: 2025-11-19 05:39:55.088039
Description:
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | MEDIUM | 4.0 |
| CVSS Version 3.x | MEDIUM | 6.5 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| CentOS 6 ELS | python | 2.6.6 | 6.5 | MEDIUM | Ignored | 2022-06-02 00:32:49 | Ignored due to low severity | |
| CentOS 7 ELS | python | 2.7.5 | 6.5 | MEDIUM | Ignored | 2023-09-19 09:30:17 | Ignored due to low severity | |
| CentOS 7 ELS | python3 | 3.6.8 | 6.5 | MEDIUM | Ignored | 2023-09-19 09:30:16 | Ignored due to low severity | |
| CentOS 8.4 ELS | python3 | 3.6.8 | 6.5 | MEDIUM | Already Fixed | 2022-08-02 04:39:28 | ||
| CentOS 8.4 ELS | python2 | 2.7.18 | 6.5 | MEDIUM | Released | CLSA-2022:1654525948 | 2022-06-06 11:47:17 | |
| CentOS 8.5 ELS | python2 | 2.7.18 | 6.5 | MEDIUM | Released | CLSA-2022:1654526367 | 2022-06-06 11:47:17 | |
| CentOS 8.5 ELS | python3 | 3.6.8 | 6.5 | MEDIUM | Already Fixed | 2022-08-02 04:39:28 | ||
| CloudLinux 6 ELS | python | 2.6.6 | 6.5 | MEDIUM | Ignored | 2022-06-02 00:32:49 | Ignored due to low severity | |
| Oracle Linux 6 ELS | python | 2.6.6 | 6.5 | MEDIUM | Ignored | 2022-06-02 00:32:49 | Ignored due to low severity | |
| Ubuntu 16.04 ELS | python3.5 | 3.5.2 | 6.5 | MEDIUM | Released | CLSA-2021:1635430087 | 2021-11-02 21:02:48 |