Описание
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the _punctuation_re regex operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
A flaw was found in python-jinja2. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9.-]+.[a-zA-Z0-9.-]+. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
Отчет
This flaw is out of support scope for the following products:
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Red Hat Ceph Storage 2 To learn more about Red Hat Enterprise Linux support scopes, please see https://access.redhat.com/support/policy/updates/errata/ In Red Hat OpenStack Platform, because python-jinja2 is not directly customer exposed, the Impact has been moved to Low and no updated will be provided at this time for the RHOSP python-jinja2 package. Red Hat Quay does not make use of the vulnerable function, so the impact is Low.
Меры по смягчению последствий
If using the jinja2 library as a developer, this flaw can be mitigated by not using the vulnerable urlize() filter, and instead, using Markdown to format user content.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 1.2 | jinja2 | Not affected | ||
| Red Hat Ansible Automation Platform 1.2 | python-jinja2 | Not affected | ||
| Red Hat Ansible Tower 3 | jinja2 | Not affected | ||
| Red Hat Ceph Storage 2 | python-jinja2 | Out of support scope | ||
| Red Hat Ceph Storage 3 | python-jinja2 | Affected | ||
| Red Hat Enterprise Linux 6 | python-jinja2 | Out of support scope | ||
| Red Hat Enterprise Linux 7 | python-jinja2 | Out of support scope | ||
| Red Hat Enterprise Linux 9 | python-jinja2 | Not affected | ||
| Red Hat OpenStack Platform 13 (Queens) | python-jinja2 | Will not fix | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Affected |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDo ...
7.5 High
CVSS3