PT-2021-3609 · Pypi+9 · Pygments+9

Ben Caller

·

Published

2021-01-03

·

Updated

2023-08-14

·

CVE-2021-27291

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Pygments versions 1.1 through 2.7.3
Description The issue is related to the use of regular expressions in the Pygments syntax highlighting program. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
Recommendations For Pygments versions 1.1 through 2.7.3, update to version 2.7.4 to resolve the issue. As a temporary workaround, consider restricting the input to the lexers to minimize the risk of exploitation.

Exploit

Fix

DoS

Resource Exhaustion

Weakness Enumeration

CWE-1333CWE-400

Related Identifiers

ALSA-2021:4139
ALSA-2021:4150
ALSA-2021:4151
ALT-PU-2021-1669
ALT-PU-2021-1712
ALT-PU-2021-2091
AZL-35138
AZL-6812
BDU:2021-03741
CESA-2021_4139
CESA-2021_4150
CESA-2021_4151
CVE-2021-27291
DLA-2600-1
DLA-2648-1
DLA-2648-2
DSA-4878-1
DSA-4889-1
GHSA-PQ64-V7F5-GQH8
MGASA-2021-0218
MGASA-2021-0245
OESA-2021-1154
OPENSUSE-SU-2021:1521-1
OPENSUSE-SU-2021:3839-1
OPENSUSE-SU-2021:3841-1
OPENSUSE-SU-2021_1521-1
OPENSUSE-SU-2021_3839-1
OPENSUSE-SU-2021_3841-1
PYSEC-2021-141
RHSA-2021:0781
RHSA-2021:3252
RHSA-2021:4139
RHSA-2021:4150
RHSA-2021:4151
RHSA-2021_4139
RHSA-2021_4150
RHSA-2021_4151
RLSA-2021:4139
RLSA-2021:4150
RLSA-2021:4151
SUSE-SU-2021:3814-1
SUSE-SU-2021:3839-1
SUSE-SU-2021:3840-1
SUSE-SU-2021:3841-1
SUSE-SU-2021_3814-1
SUSE-SU-2021_3839-1
SUSE-SU-2021_3840-1
SUSE-SU-2021_3841-1
USN-4897-1
USN-4897-2

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Pygments
Red Hat
Rocky Linux
Suse
Ubuntu