{"api_version":"1","generated_at":"2026-04-22T20:52:20+00:00","cve":"CVE-2020-28493","urls":{"html":"https://cve.report/CVE-2020-28493","api":"https://cve.report/api/cve/CVE-2020-28493.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-28493","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-28493"},"summary":{"title":"CVE-2020-28493","description":"This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.","state":"PUBLIC","assigner":"report@snyk.io","published_at":"2021-02-01 20:15:00","updated_at":"2023-11-07 03:21:00"},"problem_types":["CWE-400"],"metrics":[],"references":[{"url":"https://github.com/pallets/jinja/pull/1343","name":"https://github.com/pallets/jinja/pull/1343","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"backport urlize speedup by davidism · Pull Request #1343 · pallets/jinja · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20","name":"https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20","refsource":"MISC","tags":["Broken Link"],"title":"","mime":"","httpstatus":"","archivestatus":""},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/","name":"FEDORA-2021-2ab8ebcabc","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: mingw-python-jinja2-2.11.3-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://security.gentoo.org/glsa/202107-19","name":"GLSA-202107-19","refsource":"GENTOO","tags":[],"title":"Jinja: Denial of service (GLSA 202107-19) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994","name":"https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"Regular Expression Denial of Service (ReDoS) in jinja2 | Snyk","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/","name":"FEDORA-2021-2ab8ebcabc","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: mingw-python-jinja2-2.11.3-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py#L20","name":"MISC:https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20","refsource":"MITRE","tags":[],"title":"jinja/utils.py at ab81fd9c277900c85da0c322a2ff9d68a235b2e6 · pallets/jinja · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-28493","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-28493","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Yeting Li","lang":""}],"nvd_cpes":[{"cve_year":"2020","cve_id":"28493","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"28493","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"palletsprojects","cpe5":"jinja","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"28493","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"palletsprojects","cpe5":"jinja","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-28493","qid":"159463","title":"Oracle Enterprise Linux Security Update for python27:2.7 (ELSA-2021-4151)"},{"cve":"CVE-2020-28493","qid":"159467","title":"Oracle Enterprise Linux Security Update for python38:3.8 and python38-devel:3.8 (ELSA-2021-4162)"},{"cve":"CVE-2020-28493","qid":"200071","title":"Ubuntu Security Notification for Jinja2 Vulnerabilities (USN-6599-1)"},{"cve":"CVE-2020-28493","qid":"239580","title":"Red Hat Update for rh-python38 (RHSA-2021:3254)"},{"cve":"CVE-2020-28493","qid":"239582","title":"Red Hat Update for python27 (RHSA-2021:3252)"},{"cve":"CVE-2020-28493","qid":"239826","title":"Red Hat Update for python27:2.7 (RHSA-2021:4151)"},{"cve":"CVE-2020-28493","qid":"239839","title":"Red Hat Update for python-jinja2 (RHSA-2021:4161)"},{"cve":"CVE-2020-28493","qid":"239845","title":"Red Hat Update for python38:3.8 and python38-devel:3.8 (RHSA-2021:4162)"},{"cve":"CVE-2020-28493","qid":"281537","title":"Fedora Security Update for mingw (FEDORA-2021-2ab8ebcabc)"},{"cve":"CVE-2020-28493","qid":"296067","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 33.94.0 Missing (CPUAPR2021)"},{"cve":"CVE-2020-28493","qid":"501765","title":"Alpine Linux Security Update for py3-jinja2"},{"cve":"CVE-2020-28493","qid":"504328","title":"Alpine Linux Security Update for py3-jinja2"},{"cve":"CVE-2020-28493","qid":"670724","title":"EulerOS Security Update for python-jinja2 (EulerOS-SA-2021-2482)"},{"cve":"CVE-2020-28493","qid":"670758","title":"EulerOS Security Update for python-jinja2 (EulerOS-SA-2021-2516)"},{"cve":"CVE-2020-28493","qid":"670780","title":"EulerOS Security Update for python-jinja2 (EulerOS-SA-2021-2538)"},{"cve":"CVE-2020-28493","qid":"670804","title":"EulerOS Security Update for python-jinja2 (EulerOS-SA-2021-2562)"},{"cve":"CVE-2020-28493","qid":"670913","title":"EulerOS Security Update for python-jinja2 (EulerOS-SA-2021-2538)"},{"cve":"CVE-2020-28493","qid":"671011","title":"EulerOS Security Update for python-jinja2 (EulerOS-SA-2021-2609)"},{"cve":"CVE-2020-28493","qid":"710057","title":"Gentoo Linux Jinja Denial of service (GLSA 202107-19)"},{"cve":"CVE-2020-28493","qid":"902147","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for python-jinja2 (9857)"},{"cve":"CVE-2020-28493","qid":"902677","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for python-jinja2 (9857-1)"},{"cve":"CVE-2020-28493","qid":"940290","title":"AlmaLinux Security Update for python-jinja2 (ALSA-2021:4161)"},{"cve":"CVE-2020-28493","qid":"940522","title":"AlmaLinux Security Update for python27:2.7 (ALSA-2021:4151)"},{"cve":"CVE-2020-28493","qid":"940526","title":"AlmaLinux Security Update for python38:3.8 and python38-devel:3.8 (ALSA-2021:4162)"},{"cve":"CVE-2020-28493","qid":"960320","title":"Rocky Linux Security Update for python27:2.7 (RLSA-2021:4151)"},{"cve":"CVE-2020-28493","qid":"960342","title":"Rocky Linux Security Update for python38:3.8 and python38-devel:3.8 (RLSA-2021:4162)"},{"cve":"CVE-2020-28493","qid":"960431","title":"Rocky Linux Security Update for python-jinja2 (RLSA-2021:4161)"},{"cve":"CVE-2020-28493","qid":"982900","title":"Python (pip) Security Update for jinja2 (GHSA-g3rq-g295-4j3m)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ASSIGNER":"report@snyk.io","DATE_PUBLIC":"2021-02-01T19:29:26.819563Z","ID":"CVE-2020-28493","STATE":"PUBLIC","TITLE":"Regular Expression Denial of Service (ReDoS)"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"jinja2","version":{"version_data":[{"version_affected":">=","version_value":"0.0.0"},{"version_affected":"<","version_value":"2.11.3"}]}}]},"vendor_name":"n/a"}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Regular Expression Denial of Service (ReDoS)"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994","name":"https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994"},{"refsource":"MISC","url":"https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20","name":"https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20"},{"refsource":"MISC","url":"https://github.com/pallets/jinja/pull/1343","name":"https://github.com/pallets/jinja/pull/1343"},{"refsource":"FEDORA","name":"FEDORA-2021-2ab8ebcabc","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/"},{"refsource":"GENTOO","name":"GLSA-202107-19","url":"https://security.gentoo.org/glsa/202107-19"}]},"description":{"description_data":[{"lang":"eng","value":"This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory."}]},"impact":{"cvss":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"}},"credit":[{"lang":"eng","value":"Yeting Li"}]},"nvd":{"publishedDate":"2021-02-01 20:15:00","lastModifiedDate":"2023-11-07 03:21:00","problem_types":["CWE-400"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:palletsprojects:jinja:*:*:*:*:*:*:*:*","versionEndExcluding":"2.11.3","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"28493","Ordinal":"190980","Title":"CVE-2020-28493","CVE":"CVE-2020-28493","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"28493","Ordinal":"1","NoteData":"This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"28493","Ordinal":"2","NoteData":"2021-02-01","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"28493","Ordinal":"3","NoteData":"2021-07-08","Type":"Other","Title":"Modified"}]}}}