5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.003 Low
EPSS
Percentile
66.5%
NLTK (Natural Language Toolkit) is a suite of open source Python modules,
data sets, and tutorials supporting research and development in Natural
Language Processing. Versions prior to 3.6.5 are vulnerable to regular
expression denial of service (ReDoS) attacks. The vulnerability is present
in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of
this class, or these two functions, are vulnerable to the ReDoS attack. In
short, a specifically crafted long input to any of these vulnerable
functions will cause them to take a significant amount of execution time.
If your program relies on any of the vulnerable functions for tokenizing
unpredictable user input, then we would strongly recommend upgrading to a
version of NLTK without the vulnerability. For users unable to upgrade the
execution time can be bounded by limiting the maximum length of an input to
any of the vulnerable functions. Our recommendation is to implement such a
limit.
github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341
github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341 (3.6.6)
github.com/nltk/nltk/issues/2866
github.com/nltk/nltk/pull/2869
github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x
launchpad.net/bugs/cve/CVE-2021-43854
nvd.nist.gov/vuln/detail/CVE-2021-43854
security-tracker.debian.org/tracker/CVE-2021-43854
www.cve.org/CVERecord?id=CVE-2021-43854
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.003 Low
EPSS
Percentile
66.5%