VIR Vulnerability Intelligence Relay

CVE-2020-7212

unknown
Published 2021-04-30 ยท Modified 2023-11-08
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
โ€”

Description

The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).

Predictions

Exploit likelihood
30%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact
debian Debian Fixed 5 releases
VersionStatusFixed in
trixie Fixed 1.25.8-1
sid Fixed 1.25.8-1
forky Fixed 1.25.8-1
bullseye Fixed 1.25.8-1
bookworm Fixed 1.25.8-1

Package impact
EcosystemPackageVulnerableFixed
python PyPIurllib3>=1.25.2,<1.25.81.25.8
python PyPIurllib3<a74c9cfbaed9f811e7563cfc3dce894928e0221a||>=1.25.2,<1.25.8a74c9cfbaed9f811e7563cfc3dce894928e0221a

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.