CVE-2020-7212 - High Severity Vulnerability
Vulnerable Library - urllib3-1.25.3-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl
Path to dependency file: /fortifyapi
Path to vulnerable library: /teSource-ArchiveExtractor_1e9dccab-19c9-4f7f-b281-3232def973b5/20190620055030_2831/20190620055020_depth_0/urllib3-1.25.3-py2.py3-none-any/urllib3
Dependency Hierarchy:
- ❌ urllib3-1.25.3-py2.py3-none-any.whl (Vulnerable Library)
Vulnerability Details
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).
Publish Date: 2020-03-06
URL: CVE-2020-7212
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-hmv2-79q8-fv6g
Release Date: 2020-03-09
Fix Resolution: urllib3 - 1.25.8
Step up your Open Source Security Game with Mend here
CVE-2020-7212 - High Severity Vulnerability
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl
Path to dependency file: /fortifyapi
Path to vulnerable library: /teSource-ArchiveExtractor_1e9dccab-19c9-4f7f-b281-3232def973b5/20190620055030_2831/20190620055020_depth_0/urllib3-1.25.3-py2.py3-none-any/urllib3
Dependency Hierarchy:
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).
Publish Date: 2020-03-06
URL: CVE-2020-7212
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-hmv2-79q8-fv6g
Release Date: 2020-03-09
Fix Resolution: urllib3 - 1.25.8
Step up your Open Source Security Game with Mend here