Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWczcnEtZzI5NS00ajNt
Regular Expression Denial of Service (ReDoS) in Jinja2
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9.-]+.[a-zA-Z0-9.-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
Permalink: https://github.com/advisories/GHSA-g3rq-g295-4j3mJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWczcnEtZzI5NS00ajNt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: 19 days ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-g3rq-g295-4j3m, CVE-2020-28493
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-28493
- https://github.com/pallets/jinja/pull/1343
- https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20
- https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
- https://security.gentoo.org/glsa/202107-19
- https://github.com/pallets/jinja/commit/15ef8f09b659f9100610583938005a7a10472d4d
- https://github.com/advisories/GHSA-g3rq-g295-4j3m
- https://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2021-66.yaml
- https://lists.fedoraproject.org/archives/list/[email protected]/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4
Blast Radius: 27.2
Affected Packages
pypi:jinja2
Dependent packages: 4,068Dependent repositories: 133,056
Downloads: 233,458,097 last month
Affected Version Ranges: < 2.11.3
Fixed in: 2.11.3
All affected versions: 2.1.1, 2.2.1, 2.3.1, 2.4.1, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.7.1, 2.7.2, 2.7.3, 2.8.1, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.10.1, 2.10.2, 2.10.3, 2.11.0, 2.11.1, 2.11.2
All unaffected versions: 2.11.3, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4