CVE-2020-28493

Aliases:GHSA-g3rq-g295-4j3mPYSEC-2021-66SNYK-PYTHON-JINJA2-1012994

Advisory lineage Upstream: 0 Downstream: 19

Downstream

ALPINE-CVE-2020-28493 DEBIAN-CVE-2020-28493 MGASA-2021-0178 OPENSUSE-SU-2024:11208-1 OPENSUSE-SU-2024:13930-1 RHSA-2021:3252

Modified

Published: 01 Feb 2021, 19:30

Last modified:16 Sept 2024, 17:24

Vulnerability Summary

Overall Risk (default)

medium

31/100

CVSS Score

5.3 MEDIUM

v3.1 (cve.org)

EPSS Score

0.21% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

01 Feb 2021, 19:30

Published

Vulnerability first disclosed

16 Sept 2024, 17:24

Last Modified

Vulnerability information updated

Description

This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.

CVSS Metrics

v4.0•MEDIUM•Score: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P
v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 0.21%• Percentile: 43%

Techniques & Countermeasures

CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.

Affected Systems

fedoraproject•fedora
33
palletsprojects•jinja
< 2.11.3
PyPI•jinja2
< 2.11.3