NVD Vulnerability Detail

CVE-2020-7212

Summary	The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).
Publication Date	March 7, 2020, 5:15 a.m.
Registration Date	Jan. 26, 2021, 12:01 p.m.
Last Update	Nov. 21, 2024, 2:36 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:python:urllib3::::::::		1.25.2	1.25.7

Related information, measures and tools

No	URL	タグ
1	https://github.com/urllib3/urllib3/blob/master/CHANGES.rst	Release Notes Third Party Advisory
2	https://github.com/urllib3/urllib3/blob/master/CHANGES.rst	Release Notes Third Party Advisory
3	https://github.com/urllib3/urllib3/commit/a74c9cfbaed9f811e7563cfc3dce894928e0221a	Patch Third Party Advisory
4	https://github.com/urllib3/urllib3/commit/a74c9cfbaed9f811e7563cfc3dce894928e0221a	Patch Third Party Advisory
5	https://pypi.org/project/urllib3/1.25.8/	Release Notes Vendor Advisory
6	https://pypi.org/project/urllib3/1.25.8/	Release Notes Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-400	リソースの枯渇	https://cwe.mitre.org/data/definitions/400.html

JVN Vulnerability Information

Python 用 urllib3 library におけるリソースの枯渇に関する脆弱性

Title	Python 用 urllib3 library におけるリソースの枯渇に関する脆弱性
Summary	Python 用 urllib3 library には、リソースの枯渇に関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 20, 2020, midnight
Registration Date	March 18, 2020, 2:55 p.m.
Last Update	March 18, 2020, 2:55 p.m.

Affected System

Python Software Foundation

urllib3 1.25.2 から 1.25.7

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-7212	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7212
National Vulnerability Database (NVD)
2	CVE-2020-7212	https://nvd.nist.gov/vuln/detail/CVE-2020-7212

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-400	https://cwe.mitre.org/data/definitions/400.html

ベンダー情報

No	Name	URL
GitHub
1	Changes	https://github.com/urllib3/urllib3/blob/master/CHANGES.rst
2	Percent-encode invalid characters with request target (#1586)	https://github.com/urllib3/urllib3/commit/a74c9cfbaed9f811e7563cfc3dce894928e0221a
Python
3	urllib3 1.25.8	https://pypi.org/project/urllib3/1.25.8/

Change Log

No	Changed Details	Date of change
1	[2020年03月18日] 掲載	March 18, 2020, 2:55 p.m.