GHSA-r8wq-qrxc-hmcm: 
Python vulnerability analysis and mitigation

The vulnerability (GHSA-r8wq-qrxc-hmcm) affects python-ldap versions before 3.4.0, specifically targeting the LDAP schema parser. The issue was discovered in August 2021 and publicly disclosed on November 26, 2021. It involves a Regular Expression Denial of Service (ReDoS) vulnerability in the LDAP schema parser that could be exploited when processing untrusted schema definitions (GitHub Advisory, GitHub Lab).

The vulnerability is classified as CWE-1333 (Inefficient Regular Expression Complexity) with a CVSS v3.1 base score of 6.5 (Medium severity). The attack vector is network-based, with low attack complexity and requiring low privileges. The vulnerability specifically affects the regular expression used in the schema parser, which can perform extremely poorly when processing crafted input strings containing excessive backslashes (GitHub Advisory).

When exploited, this vulnerability can lead to a denial of service condition, particularly affecting the availability of systems that use the ldap.schema package to parse LDAP schema definitions from untrusted sources. The impact is specifically focused on the availability aspect, with no direct effect on confidentiality or integrity (GitHub Advisory).

The vulnerability was patched in python-ldap version 3.4.0, which includes a workaround that refuses schema definitions with an excessive amount of backslashes. For users unable to upgrade immediately, a recommended workaround is to implement input validation checking for excessive backslashes in schemas, with more than a dozen backslashes per line being considered atypical (GitHub Advisory).