CVE-2021-27291 : In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

Published 2021-03-17 13:15:15

Updated 2022-05-23 22:35:48

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2021-27291

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 32
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Pygments » Pygments
Versions from including (>=) 1.1 and before (<) 2.7.4
cpe:2.3:a:pygments:pygments:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-27291

EPSS FAQ

2.52%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 84 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-27291

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

References for CVE-2021-27291

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSLD67LFGXOX2K5YNESSWAS4AGZIJTUQ/

[SECURITY] Fedora 33 Update: python-pygments-2.6.1-6.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSJRFHALQ7E3UV4FFMFU2YQ6LUDHAI55/

[SECURITY] Fedora 32 Update: python-pygments-2.4.2-9.fc32 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://www.debian.org/security/2021/dsa-4878

Debian -- Security Information -- DSA-4878-1 pygments
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html

[SECURITY] [DLA 2648-1] mediawiki security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2021/03/msg00024.html

[SECURITY] [DLA 2600-1] pygments security update
Mailing List;Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html

[SECURITY] [DLA 2648-2] mediawiki regression update
Mailing List;Third Party Advisory

CVEs referencing this url
https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce

cve-2021-27291 · GitHub
Exploit;Third Party Advisory
https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14

Fix several exponential/cubic complexity regexes found by Ben Caller/… · pygments/pygments@2e7e8c4 · GitHub
Patch;Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2021/dsa-4889

Debian -- Security Information -- DSA-4889-1 mediawiki
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-27291

Products affected by CVE-2021-27291

Exploit prediction scoring system (EPSS) score for CVE-2021-27291

CVSS scores for CVE-2021-27291

References for CVE-2021-27291