CVE-2020-28493
Regular Expression Denial of Service (ReDoS)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
Esto afecta al paquete jinja2 desde versiones 0.0.0 y anteriores a 2.11.3. La vulnerabilidad ReDoS se debe principalmente al operador `_punctuation_re regex` y su uso de múltiples comodines. El último comodín es el más explotable, ya que busca la puntuación final. Este problema puede ser mitigado con Markdown para formatear el contenido del usuario en lugar del filtro urlize, o implementando tiempos de espera de las peticiones y limitando la memoria del proceso
A flaw was found in python-jinja2. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-11-12 CVE Reserved
- 2021-02-01 CVE Published
- 2023-11-08 EPSS Updated
- 2024-09-16 CVE Updated
- 2024-09-16 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20 | Broken Link |
URL | Date | SRC |
---|---|---|
https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994 | 2024-09-16 |
URL | Date | SRC |
---|---|---|
https://github.com/pallets/jinja/pull/1343 | 2023-11-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Palletsprojects Search vendor "Palletsprojects" | Jinja Search vendor "Palletsprojects" for product "Jinja" | < 2.11.3 Search vendor "Palletsprojects" for product "Jinja" and version " < 2.11.3" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
|