Vulnerability Details : CVE-2020-28493
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
Exploit prediction scoring system (EPSS) score for CVE-2020-28493
Probability of exploitation activity in the next 30 days: 0.20%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 57 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2020-28493
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
3.9
|
1.4
|
NIST |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
3.9
|
1.4
|
Snyk |
CWE ids for CVE-2020-28493
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-28493
-
https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
SnykExploit;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/
[SECURITY] Fedora 33 Update: mingw-python-jinja2-2.11.3-1.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202107-19
Jinja: Denial of service (GLSA 202107-19) — Gentoo securityThird Party Advisory
-
https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20
Page not found · GitHub · GitHubBroken Link
-
https://github.com/pallets/jinja/pull/1343
backport urlize speedup by davidism · Pull Request #1343 · pallets/jinja · GitHubPatch;Third Party Advisory
Products affected by CVE-2020-28493
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:a:palletsprojects:jinja:*:*:*:*:*:*:*:*