CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS
Percentile
21.6%
pygments is vulnerable to Regular Expression Denial Of Service (ReDoS). The vulnerability exists in smithy.p
due to the usage of regular expression with inefficient complexity used in the SqlJinjaLexer
class which can cause catastrophic backtracking.
github.com/advisories/GHSA-mrwq-x4v8-fh7p
github.com/pygments/pygments/blob/master/pygments/lexers/smithy.py#L61
github.com/pygments/pygments/commit/97eb3d5ec7c1b3ea4fcf9dee30a2309cf92bd194
github.com/pygments/pygments/issues/2355
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZGMXALE3HSP4OXC7UUWIKX3OXKZDTY3/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUZO4BQCIY2S2KZYHERQMKURB7AHXDBO/
pypi.org/project/Pygments/
pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/