GHSA-g3rq-g295-4j3m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g3rq-g295-4j3m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-g3rq-g295-4j3m/GHSA-g3rq-g295-4j3m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-g3rq-g295-4j3m
- Aliases
-
- CVE-2020-28493
- PYSEC-2021-66
- SNYK-PYTHON-JINJA2-1012994
- Published
- 2021-03-19T21:28:05Z
- Modified
- 2024-02-20T05:28:08.665794Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- Regular Expression Denial of Service (ReDoS) in Jinja2
- Details
-
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9.-]+.[a-zA-Z0-9.-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-28493
- https://github.com/pallets/jinja/pull/1343
- https://github.com/pallets/jinja/commit/15ef8f09b659f9100610583938005a7a10472d4d
- https://github.com/pallets/jinja
- https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4
- https://security.gentoo.org/glsa/202107-19
- https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
Affected packages
PyPI / jinja2
Package
- Name
- jinja2
- View open source insights on deps.dev
- Purl
- pkg:pypi/jinja2
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.11.3