CVE-2020-29651
Denial of Service vulnerability in py (PyPI)
What is CVE-2020-29651 About?
This is a Denial of Service vulnerability stemming from a regular expression in the `py.path.svnwc` component of Python's 'py' library. Attackers can exploit this by providing malicious input to the blame functionality, leading to a compute-time denial of service. Exploitation is relatively straightforward, requiring only crafted input.
Affected Software
Technical Details
The vulnerability resides within the py.path.svnwc component of the Python 'py' library, specifically affecting versions through 1.9.0. It is a Regular Expression Denial of Service (ReDoS) where a poorly constructed regular expression takes an excessive amount of time to process certain inputs due to catastrophic backtracking. An attacker can craft a specific input string that, when processed by the vulnerable regular expression within the 'blame' functionality, causes the regular expression engine to consume a disproportionate amount of computational resources. This prolonged processing time results in the application becoming unresponsive, effectively denying service to legitimate users as the system is tied up in processing the malicious input.
What is the Impact of CVE-2020-29651?
Successful exploitation may allow attackers to disrupt the availability of the affected system or application, leading to a denial of service where the system becomes unresponsive or crashes.
What is the Exploitability of CVE-2020-29651?
Exploitation of this vulnerability is of medium complexity, primarily requiring knowledge of regular expression weaknesses. There are no explicit authentication or privilege requirements mentioned; it can likely be triggered by any user capable of supplying input to the 'blame' functionality, which could be a remote or local attack depending on application exposure. The primary prerequisite is the ability to submit crafted input that interacts with the vulnerable regular expression. The likelihood of exploitation is increased if the affected application is publicly accessible and accepts arbitrary user input that is then processed by the vulnerable component.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-29651?
About the Fix from Resolved Security
The patch changes the regex in rex_blame from allowing zero or more whitespace characters (\s*) to requiring at least one (\s+) between revision and username fields, eliminating ambiguous parsing that could lead to catastrophic regex backtracking. This prevents potential Regular Expression Denial of Service (ReDoS) attacks addressed in CVE-2020-29651 by ensuring the expression cannot be exploited with specially crafted long numeric input.
Available Upgrade Options
- py
- <1.10.0 → Upgrade to 1.10.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AYWNYEV3FGDHPIHX4DDUDMFZ6NLCQRC4
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHDTINIBJZ67T3W74QTBIY5LPKAXEOGR/
- https://github.com/pytest-dev/py/pull/257/commits/4a9017dc6199d2a564b6e4b0aa39d6d8870e4144
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/pytest-dev/py
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AYWNYEV3FGDHPIHX4DDUDMFZ6NLCQRC4/
- https://github.com/pypa/advisory-database/tree/main/vulns/py/PYSEC-2020-92.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHDTINIBJZ67T3W74QTBIY5LPKAXEOGR/
- https://github.com/pytest-dev/py/pull/257
- https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html
What are Similar Vulnerabilities to CVE-2020-29651?
Similar Vulnerabilities: CVE-2021-29063 , CVE-2021-23437 , CVE-2021-25292 , CVE-2022-24706 , CVE-2021-4122
