PT-2021-7288 · Jinja2+8 · Jinja2+8

Yeting Li

·

Published

2021-02-01

·

Updated

2025-09-29

·

CVE-2020-28493

CVSS v4.0

6.9

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions jinja2 versions 0.0.0 through 2.11.3
Description The issue is mainly due to the punctuation re regex operator and its use of multiple wildcards, with the last wildcard being the most exploitable as it searches for trailing punctuation. This can cause a ReDoS vulnerability, potentially leading to a denial of service. The vulnerability can be exploited by a remote attacker. The issue can also be attributed to the sub-pattern [a-zA-Z0-9. -]+.[a-zA-Z0-9. -]+ in the regex.
Recommendations For jinja2 versions 0.0.0 through 2.11.3, mitigate the issue by using Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.

Exploit

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2021:4151
ALSA-2021:4161
ALSA-2021:4162
ALSA-2021_4161
ALSA-2025_16880
AZL-40857
AZL-75813
BDU:2022-05230
CESA-2021_4151
CESA-2021_4161
CESA-2021_4162
CVE-2020-28493
GHSA-G3RQ-G295-4J3M
MGASA-2021-0178
OESA-2021-1190
OPENSUSE-SU-2024:11208-1
OPENSUSE-SU-2024:13930-1
PYSEC-2021-66
RHSA-2021:3252
RHSA-2021:3254
RHSA-2021:4151
RHSA-2021:4161
RHSA-2021:4162
RHSA-2021_4151
RHSA-2021_4161
RHSA-2021_4162
RLSA-2021:4151
RLSA-2021:4161
RLSA-2021:4162
SNYK-PYTHON-JINJA2-1012994
SUSE-FU-2022:0444-1
SUSE-FU-2022:0445-1
SUSE-SU-2021:0601-1
SUSE-SU-2021:0602-1
SUSE-SU-2021:0603-1
SUSE-SU-2021:0607-1
SUSE-SU-2021:0654-1
SUSE-SU-2021:14644-1
SUSE-SU-2021_0607-1
SUSE-SU-2021_0654-1
SUSE-SU-2021_14644-1
USN-5701-1
USN-6599-1

Affected Products

Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu
Jinja2