CVE-2020-28493

Summary

CVE	CVE-2020-28493
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-02-01 20:15:00 UTC
Updated	2023-11-07 03:21:00 UTC
Description	This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.

Risk And Classification

Problem Types: CWE-400

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Fedoraproject	Fedora	33	All	All	All
Application	Palletsprojects	Jinja	All	All	All	All
Application	Palletsprojects	Jinja	All	All	All	All

References

Reference	Source	Link	Tags
backport urlize speedup by davidism · Pull Request #1343 · pallets/jinja · GitHub	MISC	github.com	Patch, Third Party Advisory
github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/s...	MISC	github.com	Broken Link
[SECURITY] Fedora 33 Update: mingw-python-jinja2-2.11.3-1.fc33 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Jinja: Denial of service (GLSA 202107-19) — Gentoo security	GENTOO	security.gentoo.org
Regular Expression Denial of Service (ReDoS) in jinja2 \| Snyk	MISC	snyk.io	Exploit, Third Party Advisory
[SECURITY] Fedora 33 Update: mingw-python-jinja2-2.11.3-1.fc33 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
jinja/utils.py at ab81fd9c277900c85da0c322a2ff9d68a235b2e6 · pallets/jinja · GitHub	MITRE	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Yeting Li

Legacy QID Mappings

159463 Oracle Enterprise Linux Security Update for python27:2.7 (ELSA-2021-4151)
159467 Oracle Enterprise Linux Security Update for python38:3.8 and python38-devel:3.8 (ELSA-2021-4162)
200071 Ubuntu Security Notification for Jinja2 Vulnerabilities (USN-6599-1)
239580 Red Hat Update for rh-python38 (RHSA-2021:3254)
239582 Red Hat Update for python27 (RHSA-2021:3252)
239826 Red Hat Update for python27:2.7 (RHSA-2021:4151)
239839 Red Hat Update for python-jinja2 (RHSA-2021:4161)
239845 Red Hat Update for python38:3.8 and python38-devel:3.8 (RHSA-2021:4162)
281537 Fedora Security Update for mingw (FEDORA-2021-2ab8ebcabc)
296067 Oracle Solaris 11.4 Support Repository Update (SRU) 33.94.0 Missing (CPUAPR2021)
501765 Alpine Linux Security Update for py3-jinja2
504328 Alpine Linux Security Update for py3-jinja2
670724 EulerOS Security Update for python-jinja2 (EulerOS-SA-2021-2482)
670758 EulerOS Security Update for python-jinja2 (EulerOS-SA-2021-2516)
670780 EulerOS Security Update for python-jinja2 (EulerOS-SA-2021-2538)
670804 EulerOS Security Update for python-jinja2 (EulerOS-SA-2021-2562)
670913 EulerOS Security Update for python-jinja2 (EulerOS-SA-2021-2538)
671011 EulerOS Security Update for python-jinja2 (EulerOS-SA-2021-2609)
710057 Gentoo Linux Jinja Denial of service (GLSA 202107-19)
902147 Common Base Linux Mariner (CBL-Mariner) Security Update for python-jinja2 (9857)
902677 Common Base Linux Mariner (CBL-Mariner) Security Update for python-jinja2 (9857-1)
940290 AlmaLinux Security Update for python-jinja2 (ALSA-2021:4161)
940522 AlmaLinux Security Update for python27:2.7 (ALSA-2021:4151)
940526 AlmaLinux Security Update for python38:3.8 and python38-devel:3.8 (ALSA-2021:4162)
960320 Rocky Linux Security Update for python27:2.7 (RLSA-2021:4151)
960342 Rocky Linux Security Update for python38:3.8 and python38-devel:3.8 (RLSA-2021:4162)
960431 Rocky Linux Security Update for python-jinja2 (RLSA-2021:4161)
982900 Python (pip) Security Update for jinja2 (GHSA-g3rq-g295-4j3m)