CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS
Percentile
57.3%
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS
vulnerability is mainly due to the _punctuation_re regex
operator and its
use of multiple wildcards. The last wildcard is the most exploitable as it
searches for trailing punctuation. This issue can be mitigated by Markdown
to format user content instead of the urlize filter, or by implementing
request timeouts and limiting process memory.
Author | Note |
---|---|
sbeattie | regular expression DoS |
github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20
github.com/pallets/jinja/pull/1343
github.com/yetingli/PoCs/tree/main/CVE-2020-28493
launchpad.net/bugs/cve/CVE-2020-28493
nvd.nist.gov/vuln/detail/CVE-2020-28493
security-tracker.debian.org/tracker/CVE-2020-28493
snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
ubuntu.com/security/notices/USN-5701-1
ubuntu.com/security/notices/USN-6599-1
www.cve.org/CVERecord?id=CVE-2020-28493
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS
Percentile
57.3%