An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Python | Python | * | 3.7.15 (including) |
| Python | Python | 3.8.0 (including) | 3.8.15 (including) |
| Python | Python | 3.9.0 (including) | 3.9.15 (including) |
| Python | Python | 3.10.0 (including) | 3.10.8 (including) |
| Python | Python | 3.11.0 (including) | 3.11.0 (including) |
| Python | Python | 3.11.0-alpha1 (including) | 3.11.0-alpha1 (including) |
| Python | Python | 3.11.0-alpha2 (including) | 3.11.0-alpha2 (including) |
| Python | Python | 3.11.0-alpha3 (including) | 3.11.0-alpha3 (including) |
| Python | Python | 3.11.0-alpha4 (including) | 3.11.0-alpha4 (including) |
| Python | Python | 3.11.0-alpha5 (including) | 3.11.0-alpha5 (including) |
| Python | Python | 3.11.0-alpha6 (including) | 3.11.0-alpha6 (including) |
| Python | Python | 3.11.0-alpha7 (including) | 3.11.0-alpha7 (including) |
| Python | Python | 3.11.0-beta1 (including) | 3.11.0-beta1 (including) |
| Python | Python | 3.11.0-beta2 (including) | 3.11.0-beta2 (including) |
| Python | Python | 3.11.0-beta3 (including) | 3.11.0-beta3 (including) |
| Python | Python | 3.11.0-beta4 (including) | 3.11.0-beta4 (including) |
| Python | Python | 3.11.0-beta5 (including) | 3.11.0-beta5 (including) |
| Python | Python | 3.11.0-rc1 (including) | 3.11.0-rc1 (including) |
| Python | Python | 3.11.0-rc2 (including) | 3.11.0-rc2 (including) |
| Red Hat Enterprise Linux 8 | RedHat | python3-0:3.6.8-48.el8_7.1 | * |
| Red Hat Enterprise Linux 8 | RedHat | python38:3.8-8080020221221151857.0d9ba776 | * |
| Red Hat Enterprise Linux 8 | RedHat | python38-devel:3.8-8080020221221151857.0d9ba776 | * |
| Red Hat Enterprise Linux 8 | RedHat | python39:3.9-8080020221221152015.aed85c85 | * |
| Red Hat Enterprise Linux 8 | RedHat | python39-devel:3.9-8080020221221152015.aed85c85 | * |
| Red Hat Enterprise Linux 8 | RedHat | python27:2.7-8080020221221225124.ba5e661a | * |
| Red Hat Enterprise Linux 8 | RedHat | python3-0:3.6.8-48.el8_7.1 | * |
| Red Hat Enterprise Linux 8.6 Extended Update Support | RedHat | python3-0:3.6.8-47.el8_6.4 | * |
| Red Hat Enterprise Linux 9 | RedHat | python3.9-0:3.9.14-1.el9_1.2 | * |
| Red Hat Enterprise Linux 9 | RedHat | python3.9-0:3.9.14-1.el9_1.2 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-python38-python-0:3.8.18-2.el7 | * |
| Python | Ubuntu | trusty | * |
| Python | Ubuntu | xenial | * |
| Python2.7 | Ubuntu | bionic | * |
| Python2.7 | Ubuntu | esm-apps/focal | * |
| Python2.7 | Ubuntu | esm-apps/jammy | * |
| Python2.7 | Ubuntu | esm-infra-legacy/trusty | * |
| Python2.7 | Ubuntu | esm-infra/bionic | * |
| Python2.7 | Ubuntu | esm-infra/xenial | * |
| Python2.7 | Ubuntu | focal | * |
| Python2.7 | Ubuntu | jammy | * |
| Python2.7 | Ubuntu | kinetic | * |
| Python2.7 | Ubuntu | trusty | * |
| Python2.7 | Ubuntu | trusty/esm | * |
| Python2.7 | Ubuntu | xenial | * |
| Python3.10 | Ubuntu | jammy | * |
| Python3.10 | Ubuntu | kinetic | * |
| Python3.11 | Ubuntu | esm-apps/jammy | * |
| Python3.11 | Ubuntu | jammy | * |
| Python3.11 | Ubuntu | kinetic | * |
| Python3.11 | Ubuntu | upstream | * |
| Python3.4 | Ubuntu | esm-infra-legacy/trusty | * |
| Python3.4 | Ubuntu | trusty | * |
| Python3.4 | Ubuntu | trusty/esm | * |
| Python3.5 | Ubuntu | esm-infra-legacy/trusty | * |
| Python3.5 | Ubuntu | esm-infra/xenial | * |
| Python3.5 | Ubuntu | trusty | * |
| Python3.5 | Ubuntu | trusty/esm | * |
| Python3.5 | Ubuntu | xenial | * |
| Python3.6 | Ubuntu | bionic | * |
| Python3.6 | Ubuntu | esm-infra/bionic | * |
| Python3.7 | Ubuntu | bionic | * |
| Python3.7 | Ubuntu | esm-apps/bionic | * |
| Python3.8 | Ubuntu | bionic | * |
| Python3.8 | Ubuntu | esm-apps/bionic | * |
| Python3.8 | Ubuntu | esm-infra/focal | * |
| Python3.8 | Ubuntu | focal | * |
| Python3.9 | Ubuntu | esm-apps/focal | * |
| Python3.9 | Ubuntu | focal | * |