4 results (0.011 seconds)

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1

A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer. A denial-of-service vulnerability related to regular expressions was discovered in Pygments, specifically in the file pygments/lexers/smithy.py. An attacker could exploit this flaw by sending a carefully crafted request, leading to a denial-of-service situation. • https://github.com/pygments/pygments/blob/master/pygments/lexers/smithy.py#L61 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZGMXALE3HSP4OXC7UUWIKX3OXKZDTY3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUZO4BQCIY2S2KZYHERQMKURB7AHXDBO https://pypi.org/project/Pygments https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2 https://access.redhat.com/security/cve/CVE-2022-40896 https://bugzilla.r • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 1

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. En pygments versión 1.1+, corregido en 2.7.4, los lexers usados para analizar unos lenguajes de programación dependen en gran medida en expresiones regulares. Algunas de las expresiones regulares presentan una complejidad exponencial o cúbica en el peor de los casos y son vulnerables a ReDoS. • https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14 https://lists.debian.org/debian-lts-announce/2021/03/msg00024.html https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSJRFHALQ7E3UV4FFMFU2YQ6LUDHAI55 https://lists.fedoraproject.org/archives/list/package • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •

CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. Un bucle infinito en SMLLexer en Pygments versiones 1.5 hasta 2.7.3, puede conllevar a una denegación de servicio cuando se lleva a cabo el resaltado de sintaxis de un archivo fuente de Standard ML (SML), como es demostrado por la entrada que solo contiene la palabra clave "exception" • https://bugzilla.redhat.com/show_bug.cgi?id=1922136 https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html https://www.debian.org/security/2021/dsa-4889 https://www.oracle.com/security-alerts/cpuoct2021.html https://access.redhat.com/security/cve/CVE-2021-20270 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •

CVSS: 9.3EPSS: 1%CPEs: 14EXPL: 0

The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name. La función FontManager._get_nix_font_path en formatters/img.py en Pygments 1.2.2 hasta la versión 2.0.2 permite a atacantes remotos ejecutar comandos arbitrarios a través de metacaracteres de shell en un nombre de fuente. • http://packetstormsecurity.com/files/133823/Pygments-FontManager._get_nix_font_path-Shell-Injection.html http://seclists.org/fulldisclosure/2015/Oct/4 http://www.debian.org/security/2016/dsa-3445 http://www.openwall.com/lists/oss-security/2015/12/14/17 http://www.openwall.com/lists/oss-security/2015/12/14/6 http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html http://www.ubuntu.com/usn/USN-2862-1 https://bitbucket.org/birkenfeld/pygments-main/pull-requ • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •