Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWczcnEtZzI5NS00ajNt

Regular Expression Denial of Service (ReDoS) in Jinja2

This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9.-]+.[a-zA-Z0-9.-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.

Permalink: https://github.com/advisories/GHSA-g3rq-g295-4j3m
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWczcnEtZzI5NS00ajNt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: 8 months ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Identifiers: GHSA-g3rq-g295-4j3m, CVE-2020-28493
References:

Repository: https://github.com/pallets/jinja
Blast Radius: 27.2

Affected Packages

pypi:jinja2

Dependent packages: 3,322
Dependent repositories: 133,056
Downloads: 163,177,969 last month
Affected Version Ranges: < 2.11.3
Fixed in: 2.11.3
All affected versions: 2.1.1, 2.2.1, 2.3.1, 2.4.1, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.7.1, 2.7.2, 2.7.3, 2.8.1, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.10.1, 2.10.2, 2.10.3, 2.11.0, 2.11.1, 2.11.2
All unaffected versions: 2.11.3, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4