Overview
Affected versions of this package are vulnerable to ALAS2-2020-1432. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-8492: 1809065: CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. CVE-2018-20852: http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. 1740347: CVE-2018-20852 python: Cookie domain check returns incorrect results
Remediation
Upgrade python-libs to version or higher.
References
- CVE
- ALAS2-2020-1432
- Snyk ID
- SNYK-AMZN2-PYTHONLIBS-571053
- Published
- 03 Jun, 2020