Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    Related vulnerabilities

    PYSEC-2021-66

    Vulnerability from pysec - Published: 2021-02-01 20:15 - Updated: 2021-03-22 16:34
    VLAI
    Details

    This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the _punctuation_re regex operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.

    Impacted products
    Name purl
    jinja2 pkg:pypi/jinja2
    Aliases
    To clipboard 

    {
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jinja2",
        "purl": "pkg:pypi/jinja2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.0rc1",
        "2.0",
        "2.1",
        "2.1.1",
        "2.2",
        "2.2.1",
        "2.3",
        "2.3.1",
        "2.4",
        "2.4.1",
        "2.5",
        "2.5.1",
        "2.5.2",
        "2.5.3",
        "2.5.4",
        "2.5.5",
        "2.6",
        "2.7",
        "2.7.1",
        "2.7.2",
        "2.7.3",
        "2.8",
        "2.8.1",
        "2.9",
        "2.9.1",
        "2.9.2",
        "2.9.3",
        "2.9.4",
        "2.9.5",
        "2.9.6",
        "2.10",
        "2.10.1",
        "2.10.2",
        "2.10.3",
        "2.11.0",
        "2.11.1",
        "2.11.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28493",
    "SNYK-PYTHON-JINJA2-1012994",
    "GHSA-g3rq-g295-4j3m"
  ],
  "details": "This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.",
  "id": "PYSEC-2021-66",
  "modified": "2021-03-22T16:34:00Z",
  "published": "2021-02-01T20:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pallets/jinja/pull/1343"
    },
    {
      "type": "ADVISORY",
      "url": "https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-g3rq-g295-4j3m"
    }
  ]
}