Lucene search

[email protected]NVD:CVE-2022-40023

HistorySep 07, 2022 - 1:15 p.m.

CVE-2022-40023

2022-09-0713:15:09

CWE-1333

[email protected]

web.nvd.nist.gov

sqlalchemy mako vulnerability

regular expression denial of service

lexer class

babelplugin

linguaplugin

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.002 Low

EPSS

Percentile

60.8%

JSON

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.

Affected configurations

NVD

Node

sqlalchemymakoRange<1.2.2

Node

debiandebian_linuxMatch10.0

References

github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21

github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c

github.com/sqlalchemy/mako/issues/366

lists.debian.org/debian-lts-announce/2022/09/msg00026.html

pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

pyup.io/vulnerabilities/CVE-2022-40023/50870/

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.002 Low

EPSS

Percentile

60.8%

JSON

Related for NVD:CVE-2022-40023

openvas10 oraclelinux2 amazon1 osv7 nessus25 debian1 redhat8 cvelist1 veracode1 mageia1 almalinux2 cbl_mariner2 redhatcve1 ubuntucve1 alpinelinux1 github1 cve1 ubuntu2 redos1 debiancve1 prion1 ibm2