Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWczcnEtZzI5NS00ajNt
Regular Expression Denial of Service (ReDoS) in Jinja2
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9.-]+.[a-zA-Z0-9.-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
Permalink: https://github.com/advisories/GHSA-g3rq-g295-4j3mJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWczcnEtZzI5NS00ajNt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: 8 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-g3rq-g295-4j3m, CVE-2020-28493
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-28493
- https://github.com/pallets/jinja/pull/1343
- https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20
- https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
- https://lists.fedoraproject.org/archives/list/[email protected]/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/
- https://security.gentoo.org/glsa/202107-19
- https://github.com/pallets/jinja/commit/15ef8f09b659f9100610583938005a7a10472d4d
- https://github.com/advisories/GHSA-g3rq-g295-4j3m
Blast Radius: 27.2
Affected Packages
pypi:jinja2
Dependent packages: 3,322Dependent repositories: 133,056
Downloads: 163,177,969 last month
Affected Version Ranges: < 2.11.3
Fixed in: 2.11.3
All affected versions: 2.1.1, 2.2.1, 2.3.1, 2.4.1, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.7.1, 2.7.2, 2.7.3, 2.8.1, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.10.1, 2.10.2, 2.10.3, 2.11.0, 2.11.1, 2.11.2
All unaffected versions: 2.11.3, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4