CVE-2020-28493

2021-02-0120:15:00

Debian Security Bug Tracker

security-tracker.debian.org

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

56.6%

JSON

This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the _punctuation_re regex operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.

OSVersionArchitecturePackageVersionFilename
Debian12alljinja2< 2.11.3-1jinja2_2.11.3-1_all.deb
Debian11alljinja2< 2.11.3-1jinja2_2.11.3-1_all.deb
Debian10alljinja2<= 2.10-2jinja2_2.10-2_all.deb
Debian999alljinja2< 2.11.3-1jinja2_2.11.3-1_all.deb
Debian13alljinja2< 2.11.3-1jinja2_2.11.3-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	jinja2	< 2.11.3-1	jinja2_2.11.3-1_all.deb
Debian	11	all	jinja2	< 2.11.3-1	jinja2_2.11.3-1_all.deb
Debian	10	all	jinja2	<= 2.10-2	jinja2_2.10-2_all.deb
Debian	999	all	jinja2	< 2.11.3-1	jinja2_2.11.3-1_all.deb
Debian	13	all	jinja2	< 2.11.3-1	jinja2_2.11.3-1_all.deb