CVE-2020-7212 - OpenCVE

The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

AV:N/AC:L/Au:N/C:N/I:N/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Python	Urllib3

Configuration 1 [-]

cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://bugzilla.novell.com/show_bug.cgi?id=1166069
https://github.com/urllib3/urllib3/blob/master/CHANGES.rst
https://github.com/urllib3/urllib3/commit/a74c9cfbaed9f811e7563cfc3dce894928e0221a
https://nvd.nist.gov/vuln/detail/CVE-2020-7212
https://pypi.org/project/urllib3/1.25.8/
https://www.cve.org/CVERecord?id=CVE-2020-7212

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-03-06T19:14:54

Updated: 2024-08-04T09:25:48.318Z

Reserved: 2020-01-16T00:00:00

Link: CVE-2020-7212

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-03-06T20:15:12.707

Modified: 2020-03-09T16:55:14.563

Link: CVE-2020-7212

Redhat

Severity :

Publid Date: 2020-03-06T00:00:00Z

Links: CVE-2020-7212 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-06T19:14:54", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/urllib3/urllib3/blob/master/CHANGES.rst"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/urllib3/urllib3/commit/a74c9cfbaed9f811e7563cfc3dce894928e0221a"}, {"tags": ["x_refsource_MISC"], "url": "https://pypi.org/project/urllib3/1.25.8/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-7212", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/urllib3/urllib3/blob/master/CHANGES.rst", "refsource": "MISC", "url": "https://github.com/urllib3/urllib3/blob/master/CHANGES.rst"}, {"name": "https://github.com/urllib3/urllib3/commit/a74c9cfbaed9f811e7563cfc3dce894928e0221a", "refsource": "MISC", "url": "https://github.com/urllib3/urllib3/commit/a74c9cfbaed9f811e7563cfc3dce894928e0221a"}, {"name": "https://pypi.org/project/urllib3/1.25.8/", "refsource": "MISC", "url": "https://pypi.org/project/urllib3/1.25.8/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:25:48.318Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/urllib3/urllib3/blob/master/CHANGES.rst"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/urllib3/urllib3/commit/a74c9cfbaed9f811e7563cfc3dce894928e0221a"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pypi.org/project/urllib3/1.25.8/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-7212", "datePublished": "2020-03-06T19:14:54", "dateReserved": "2020-01-16T00:00:00", "dateUpdated": "2024-08-04T09:25:48.318Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6E2E571-FF01-4577-BEE4-CD2F2448A06E", "versionEndIncluding": "1.25.7", "versionStartIncluding": "1.25.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2)."}, {"lang": "es", "value": "La funci\u00f3n _encode_invalid_chars en el archivo util/url.py en la biblioteca urllib3 versiones 1.25.2 hasta 1.25.7 para Python, permite una denegaci\u00f3n de servicio (consumo de CPU) debido a un algoritmo ineficiente. La matriz percent_encodings contiene todas las coincidencias de las codificaciones porcentuales. No est\u00e1 desdoblada. Para una URL de longitud N, el tama\u00f1o de percent_encodings puede ser hasta O(N). El siguiente paso (normalizar los bytes codificados porcentualmente existentes) tambi\u00e9n ocupa hasta O(N) para cada paso, por lo que el tiempo total es O(N^2). Si se desdoblaran los porcentajes de codificaci\u00f3n, el tiempo para calcular _encode_invalid_chars ser\u00eda O(kN), donde k es como m\u00e1ximo 484 ((10+6*2)^2)."}], "id": "CVE-2020-7212", "lastModified": "2020-03-09T16:55:14.563", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-06T20:15:12.707", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/urllib3/urllib3/blob/master/CHANGES.rst"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/urllib3/urllib3/commit/a74c9cfbaed9f811e7563cfc3dce894928e0221a"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://pypi.org/project/urllib3/1.25.8/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "python-urllib3: inefficient algorithm allows a DoS (CPU consumption) in _encode_invalid_chars function in util/url.py", "id": "1812095", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1812095"}, "csaw": false, "cvss3": {"cvss3_base_score": "0.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "status": "draft"}, "cwe": "CWE-400", "details": ["The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2)."], "name": "CVE-2020-7212", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:15", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat OpenStack Platform 15 (Stein)"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-mongodb36-python-urllib3", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-python38-python-urllib3", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "python-urllib3", "product_name": "Red Hat Storage 3"}], "public_date": "2020-03-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-7212\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-7212\nhttps://bugzilla.novell.com/show_bug.cgi?id=1166069\nhttps://pypi.org/project/urllib3/1.25.8/"], "statement": "Red Hat Product Security does not consider this to be a vulnerability. The choice of an inefficient algorithm could cause a little more CPU time to be used than the alternative, however the difference in practice is not sufficient to cause a meaningful or even noticeable impact on the application.", "upstream_fix": "urllib3 1.25.8"}