CVE-2020-7212 (High) detected in urllib3-1.25.7-py2.py3-none-any.whl

[mend-bolt-for-github]

CVE-2020-7212 - High Severity Vulnerability

Vulnerable Library - urllib3-1.25.7-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/b4/40/a9837291310ee1ccc242ceb6ebfd9eb21539649f193a7c8c86ba15b98539/urllib3-1.25.7-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ urllib3-1.25.7-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 69af70874e7f40f0a465824026c483c8d5920370

Found in base branch: master

Vulnerability Details

The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).

Publish Date: 2020-03-06

URL: CVE-2020-7212

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hmv2-79q8-fv6g

Release Date: 2020-03-09

Fix Resolution: urllib3 - 1.25.8

---

Step up your Open Source Security Game with Mend here