Описание
A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.
A denial-of-service vulnerability related to regular expressions was discovered in Pygments, specifically in the file pygments/lexers/smithy.py. An attacker could exploit this flaw by sending a carefully crafted request, leading to a denial-of-service situation.
Отчет
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/ https://data.safetycli.com/vulnerabilities/CVE-2022-40896/58910/?utm_source=pyupio&utm_medium=redirect&utm_campaign=pyup_rd&utm_id=0817&utm_content=data Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. Access to the platform is granted only after successful hard token-based multi-factor authentication (MFA) and is governed by least privilege to ensure that only authorized users and roles can execute code or upload files. Red Hat enforces least functionality by enabling only essential features, services, and ports, and applies hardening guidelines to ensure the most restrictive configurations necessary for operational requirements. The environment employs IPS/IDS and antimalware solutions to detect and block malicious code and files before execution. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the risk of denial-of-service (DoS) attacks. In the event of successful exploitation, process isolation prevents a compromised process from accessing memory freed by another, containing the impact. Finally, the platform uses memory protection mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) to strengthen defenses against malicious file uploads and memory-based attacks.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 2 | aap-cloud-metrics-collector-container | Will not fix | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-supported-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-dellemc-openmanage-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-minimal-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/platform-resource-runner-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/ansible-builder-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/ee-cloud-services-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-lint | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-navigator | Not affected | ||
| Red Hat Ansible Automation Platform 2 | python3x-ansible-compat | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.5 Medium
CVSS3
Связанные уязвимости
A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.
A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.
A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments ...
Уязвимость файла pygments/lexers/smithy.py компонента SmithyLexer программы подсветки синтаксиса Pygments, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
5.5 Medium
CVSS3