CVE-2020-28493 Information
Description
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the _punctuation_re regex operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter or by implementing request timeouts and limiting process memory.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Reference
https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20
https://github.com/pallets/jinja/pull/1343
https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/
https://security.gentoo.org/glsa/202107-19
This
affects
the
package
jinja2
from
0.0.0
and
before
2.11.3.
The
ReDoS
vulnerability
is
mainly
due
to
the
_punctuation_re regex
operator
and
its
use
of
multiple
wildcards.
The
last
wildcard
is
the
most
exploitable
as
it
searches
for
trailing
punctuation.
This
issue
can
be
mitigated
by
Markdown
to
format
user
content
instead
of
the
urlize
filter
or
by
implementing
request
timeouts
and
limiting
process
memory.
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
NONE
Availability Impact
NONE
Base Score
LOW
Base Severity
5.3
Share on: