Candidate: CVE-2020-7212
PublicDate: 2020-03-06 20:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7212
 https://github.com/urllib3/urllib3/pull/1787
 https://github.com/urllib3/urllib3/blob/master/CHANGES.rst
 https://pypi.org/project/urllib3/1.25.8/
 https://github.com/urllib3/urllib3/commit/a74c9cfbaed9f811e7563cfc3dce894928e0221a
Description:
 The _encode_invalid_chars function in util/url.py in the urllib3 library
 1.25.2 through 1.25.7 for Python allows a denial of service (CPU
 consumption) because of an inefficient algorithm. The percent_encodings
 array contains all matches of percent encodings. It is not deduplicated.
 For a URL of length N, the size of percent_encodings may be up to O(N). The
 next step (normalize existing percent-encoded bytes) also takes up to O(N)
 for each step, so the total time is O(N^2). If percent_encodings were
 deduplicated, the time to compute _encode_invalid_chars would be O(kN),
 where k is at most 484 ((10+6*2)^2).
Ubuntu-Description:
Notes:
 leosilva> Introduced by a74c9cfbaed9f811e7563cfc3dce894928e0221a
 leosilva> fixed by a2697e7c6b275f05879b60f593c5854a816489f0
 leosilva> Introduced in 1.25.2 and fixed in 1.25.8
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_python-urllib3:
 upstream: https://github.com/urllib3/urllib3/commit/a2697e7c6b275f05879b60f593c5854a816489f0
upstream_python-urllib3: released (1.25.8)
precise/esm_python-urllib3: DNE
trusty_python-urllib3: ignored (out of standard support)
trusty/esm_python-urllib3: not-affected
xenial_python-urllib3: not-affected
esm-infra/xenial_python-urllib3: not-affected
bionic_python-urllib3: not-affected
eoan_python-urllib3: not-affected
focal_python-urllib3: not-affected (1.25.8-2)
devel_python-urllib3: not-affected (1.25.8-2)