Regular Expression Denial Of Service (ReDoS)

2021-02-0201:28:40

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON

jinja2 is vulnerable to regular expression denial of service. The regex sub-pattern [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+ used to format user content in the urlize filter consumes high process memory and can lead to an application crash.

CPENameOperatorVersion
jinja2le2.11.2
python27-python-jinja2eq2.6__15.el7
python27-python-jinja2eq2.6__11.el7
python27-python-jinja2eq2.6__14.el7
python27-python-pygmentseq1.5__3.el7
python27-python-pygmentseq1.5__2.el7
python27-pythoneq2.7.13__5.el7
python27-pythoneq2.7.8__14.el7
python27-pythoneq2.7.17__2.el7
python27-pythoneq2.7.8__16.el7

Name	Operator	Version
jinja2	le	2.11.2
python27-python-jinja2	eq	2.6__15.el7
python27-python-jinja2	eq	2.6__11.el7
python27-python-jinja2	eq	2.6__14.el7
python27-python-pygments	eq	1.5__3.el7
python27-python-pygments	eq	1.5__2.el7
python27-python	eq	2.7.13__5.el7
python27-python	eq	2.7.8__14.el7
python27-python	eq	2.7.17__2.el7
python27-python	eq	2.7.8__16.el7