CVE-2021-27291

Aliases:GHSA-pq64-v7f5-gqh8PYSEC-2021-141
Advisory lineage Upstream: 0 Downstream: 23
Modified
Published: 17 Mar 2021, 12:31
Last modified:03 Aug 2024, 20:48

Vulnerability Summary

Overall Risk (default)
medium
41/100
CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
3.4% LOW
3% probability +0.65%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

17 Mar 2021, 12:31
Published
Vulnerability first disclosed
03 Aug 2024, 20:48
Last Modified
Vulnerability information updated

Description

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

CVSS Metrics

  • v4.0HIGHScore: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • v2.0MEDIUMScore: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 3.40% Percentile: 88%

Techniques & Countermeasures

  • CWE-1333Inefficient Regular Expression Complexity

    The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Affected Systems

  • debiandebian_linux

    9.0 | 10.0

  • fedoraprojectfedora

    32 | 33

  • pygmentspygments

    ≥ 1.1, < 2.7.4

  • PyPIpygments

    < 2e7e8c4a7b318f4032493773732754e418279a14 | ≥ 1.1, < 2.7.4

References (17)