CVE-2020-28493: Regular Expression Denial of Service (ReDoS)
First published: Mon Feb 01 2021(Updated: )
A flaw was found in python-jinja2. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
Credit: report@snyk.io report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/jinja2 | <2.11.3 | 2.11.3 |
| redhat/python-jinja2 | <0:2.10.1-3.el8 | 0:2.10.1-3.el8 |
| redhat/python27-babel | <0:0.9.6-10.el7 | 0:0.9.6-10.el7 |
| redhat/python27-python | <0:2.7.18-3.el7 | 0:2.7.18-3.el7 |
| redhat/python27-python-jinja2 | <0:2.6-16.el7 | 0:2.6-16.el7 |
| redhat/python27-python-pygments | <0:1.5-5.el7 | 0:1.5-5.el7 |
| redhat/rh-python38-babel | <0:2.7.0-12.el7 | 0:2.7.0-12.el7 |
| redhat/rh-python38-python | <0:3.8.11-2.el7 | 0:3.8.11-2.el7 |
| redhat/rh-python38-python-cryptography | <0:2.8-5.el7 | 0:2.8-5.el7 |
| redhat/rh-python38-python-jinja2 | <0:2.10.3-6.el7 | 0:2.10.3-6.el7 |
| redhat/rh-python38-python-lxml | <0:4.4.1-7.el7 | 0:4.4.1-7.el7 |
| redhat/rh-python38-python-pip | <0:19.3.1-2.el7 | 0:19.3.1-2.el7 |
| redhat/rh-python38-python-urllib3 | <0:1.25.7-7.el7 | 0:1.25.7-7.el7 |
| Palletsprojects Jinja | <2.11.3 | |
| Fedoraproject Fedora | =33 | |
| redhat/jinja2 | <2.11.3 | 2.11.3 |
| ubuntu/jinja2 | <2.8-1ubuntu0.1+ | 2.8-1ubuntu0.1+ |
| ubuntu/jinja2 | <2.10-1ubuntu0.18.04.1+ | 2.10-1ubuntu0.18.04.1+ |
| ubuntu/jinja2 | <2.10.1-2ubuntu0.2 | 2.10.1-2ubuntu0.2 |
| ubuntu/jinja2 | <2.11.3 | 2.11.3 |
| ubuntu/jinja2 | <2.7.2-2ubuntu0.1~ | 2.7.2-2ubuntu0.1~ |
| debian/jinja2 | <=2.10-2<=2.10-2+deb10u1 | 2.11.3-1 3.1.2-1 3.1.3-1 |
Remedy
If using the jinja2 library as a developer, this flaw can be mitigated by not using the vulnerable urlize() filter, and instead, using Markdown to format user content.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-28493
- https://github.com/pallets/jinja/pull/1343
- https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20
- https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/
- https://security.gentoo.org/glsa/202107-19
- https://github.com/pallets/jinja/commit/15ef8f09b659f9100610583938005a7a10472d4d
- https://github.com/advisories/GHSA-g3rq-g295-4j3m (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2020-28493 https://nvd.nist.gov/vuln/detail/CVE-2020-28493
- https://bugzilla.redhat.com/show_bug.cgi?id=1928707
- https://access.redhat.com/errata/RHSA-2021:4151
- https://access.redhat.com/errata/RHSA-2021:4161
- https://access.redhat.com/errata/RHSA-2021:4162
- https://access.redhat.com/errata/RHSA-2021:3252
- https://access.redhat.com/errata/RHSA-2021:3254
- https://access.redhat.com/security/cve/cve-2020-28493
- https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py#L20
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1928709
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1928708
- https://jinja.palletsprojects.com/en/2.11.x/templates/?highlight=urlize#urlize
- https://github.com/pallets/jinja/pull/1343/commits/ef658dc3b6389b091d608e710a810ce8b87995b3
- https://access.redhat.com/support/policy/updates/errata/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/
- https://launchpad.net/bugs/cve/CVE-2020-28493
- https://security-tracker.debian.org/tracker/CVE-2020-28493
- https://github.com/yetingli/PoCs/tree/main/CVE-2020-28493
- https://ubuntu.com/security/notices/USN-5701-1
- https://ubuntu.com/security/notices/USN-6599-1
- https://www.cve.org/CVERecord?id=CVE-2020-28493
- https://ubuntu.com/security/CVE-2020-28493
- https://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2021-66.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-28493?
CVE-2020-28493 is a vulnerability in the Python Jinja2 package that allows for ReDoS attacks due to the use of multiple wildcards in the regex operator.
What is the severity of CVE-2020-28493?
CVE-2020-28493 has a severity rating of high with a score of 7.
How does CVE-2020-28493 affect the python-jinja2 package?
CVE-2020-28493 affects the python-jinja2 package versions 0.0.0 to 2.11.3.
What is the risk of CVE-2020-28493?
CVE-2020-28493 poses a risk of denial of service attacks through ReDoS vulnerabilities.
How can I mitigate CVE-2020-28493?
You can mitigate CVE-2020-28493 by updating the python-jinja2 package to version 2.11.3 or higher.
- collector/redhat-cve
- collector/nvd-index
- agent/author
- agent/type
- agent/first-publish-date
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-28493
- agent/software-canonical-lookup
- agent/remedy
- agent/description
- collector/nvd-cve
- source/NVD
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- agent/title
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-g3rq-g295-4j3m
- agent/last-modified-date
- agent/references
- agent/tags
- collector/github-advisory
- package-manager/redhat
- vendor/palletsprojects
- canonical/palletsprojects jinja
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- package-manager/debian
- package-manager/ubuntu
- package-manager/pip