pysec-2021-141
Vulnerability from pysec
Published
2021-03-17 13:15
Modified
2021-08-27 03:22
Details
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
Aliases
{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "pygments", "purl": "pkg:pypi/pygments" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2e7e8c4a7b318f4032493773732754e418279a14" } ], "repo": "https://github.com/pygments/pygments", "type": "GIT" }, { "events": [ { "introduced": "1.1" }, { "fixed": "2.7.4" } ], "type": "ECOSYSTEM" } ], "versions": [ "1.1", "1.1.1", "1.2", "1.2.1", "1.2.2", "1.3", "1.3.1", "1.4", "1.5", "1.6", "1.6rc1", "2.0", "2.0.1", "2.0.2", "2.0rc1", "2.1", "2.1.1", "2.1.2", "2.1.3", "2.2.0", "2.3.0", "2.3.1", "2.4.0", "2.4.1", "2.4.2", "2.5.1", "2.5.2", "2.6.0", "2.6.1", "2.7.0", "2.7.1", "2.7.2", "2.7.3" ] } ], "aliases": [ "CVE-2021-27291", "GHSA-pq64-v7f5-gqh8" ], "details": "In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.", "id": "PYSEC-2021-141", "modified": "2021-08-27T03:22:17.331175Z", "published": "2021-03-17T13:15:00Z", "references": [ { "type": "WEB", "url": "https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce" }, { "type": "FIX", "url": "https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00024.html" }, { "type": "ADVISORY", "url": "https://www.debian.org/security/2021/dsa-4878" }, { "type": "ADVISORY", "url": "https://www.debian.org/security/2021/dsa-4889" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSLD67LFGXOX2K5YNESSWAS4AGZIJTUQ/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSJRFHALQ7E3UV4FFMFU2YQ6LUDHAI55/" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-pq64-v7f5-gqh8" } ] }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.