Описание
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
A denial of service attack was discovered against pygments. Some of the regular expressions used to tokenise source code for highlighting have exponential complexity. A specially crafted input file could cause pygments to take effectively infinite time to parse, consuming CPU resources and denying access to the service.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | python-pygments | Out of support scope | ||
| Red Hat Enterprise Linux 7 | python-pygments | Out of support scope | ||
| Red Hat Enterprise Linux 7 | resource-agents | Out of support scope | ||
| Red Hat OpenStack Platform 10 (Newton) | python-pygments | Out of support scope | ||
| Red Hat Automation Hub 4.2 for RHEL 7 | automation-hub | Fixed | RHSA-2021:0781 | 09.03.2021 |
| Red Hat Automation Hub 4.2 for RHEL 7 | python3-django | Fixed | RHSA-2021:0781 | 09.03.2021 |
| Red Hat Automation Hub 4.2 for RHEL 7 | python-bleach | Fixed | RHSA-2021:0781 | 09.03.2021 |
| Red Hat Automation Hub 4.2 for RHEL 7 | python-bleach-allowlist | Fixed | RHSA-2021:0781 | 09.03.2021 |
| Red Hat Automation Hub 4.2 for RHEL 7 | python-galaxy-importer | Fixed | RHSA-2021:0781 | 09.03.2021 |
| Red Hat Automation Hub 4.2 for RHEL 7 | python-galaxy-ng | Fixed | RHSA-2021:0781 | 09.03.2021 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming ...
7.5 High
CVSS3