CVE-2020-28493 – jinja2

Package

Manager: pip
Name: jinja2
Vulnerable Version: >=0 <2.11.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00207 pctl0.43094

Details

Regular Expression Denial of Service (ReDoS) in Jinja2 This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.

Metadata

Created: 2021-03-19T21:28:05Z
Modified: 2024-09-24T20:40:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-g3rq-g295-4j3m/GHSA-g3rq-g295-4j3m.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-g3rq-g295-4j3m
Finding: F002
Auto approve: 1