GHSA-2ww3-fxvq-293j

Source

https://github.com/advisories/GHSA-2ww3-fxvq-293j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-2ww3-fxvq-293j/GHSA-2ww3-fxvq-293j.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-2ww3-fxvq-293j

Aliases

Published

2021-09-29T17:14:53Z

Modified

2024-10-07T15:24:15.501727Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

NLTK Vulnerable to REDoS

Details

The nltk package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide as an input to the [_read_comparison_block()(https://github.com/nltk/nltk/blob/23f4b1c4b4006b0cb3ec278e801029557cec4e82/nltk/corpus/reader/comparative_sents.py#L259) function in the file nltk/corpus/reader/comparative_sents.py may cause an application to consume an excessive amount of CPU.

Database specific

{
    "nvd_published_at": "2021-09-27T13:15:00Z",
    "cwe_ids": [
        "CWE-1333",
        "CWE-697"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-28T20:49:37Z"
}

References

Affected packages

PyPI / nltk

Package

Name: nltk; View open source insights on deps.dev
Purl: pkg:pypi/nltk

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6.4

Affected versions

2.*

2.0.1rc2-git

2.0b4

2.0b5

2.0b6

2.0b7

2.0b8

2.0b9

2.0.1rc1

2.0.1rc3

2.0.1rc4

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

0.*

0.8

0.9

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

3.*

3.0.0b1

3.0.0b2

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.1

3.2

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.3

3.4

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

3.5b1

3.5

3.6

3.6.1

3.6.2

3.6.3