CVE-2024-21503

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-21503
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21503.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-21503
Aliases
Related
Published
2024-03-19T05:15:09Z
Modified
2024-12-19T01:03:31.010431Z
Summary
[none]
Details

Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lineswithleadingtabsexpanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

References

Affected packages

Debian:11 / black

Package

Name
black
Purl
pkg:deb/debian/black?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.8b1-4

21.*

21.4b2-1~exp1
21.4b2-1
21.4b2-2
21.4b2-3
21.10b0-1
21.12b0-1

22.*

22.1.0-1
22.3.0-1
22.6.0-1
22.6.0-2
22.8.0-1
22.10.0-1
22.10.0-2
22.12.0-1

23.*

23.1.0-1
23.3.0-1~exp1
23.3.0-1
23.7.0-1
23.9.1-1
23.10.0-1
23.10.1-1
23.11.0-1

24.*

24.1.1-1
24.2.0-1
24.4.0-1
24.4.0-2
24.4.2-1
24.4.2-2~0exp0
24.4.2-2
24.8.0-1
24.10.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / black

Package

Name
black
Purl
pkg:deb/debian/black?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

23.*

23.1.0-1
23.3.0-1~exp1
23.3.0-1
23.7.0-1
23.9.1-1
23.10.0-1
23.10.1-1
23.11.0-1

24.*

24.1.1-1
24.2.0-1
24.4.0-1
24.4.0-2
24.4.2-1
24.4.2-2~0exp0
24.4.2-2
24.8.0-1
24.10.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / black

Package

Name
black
Purl
pkg:deb/debian/black?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
24.4.0-1

Affected versions

23.*

23.1.0-1
23.3.0-1~exp1
23.3.0-1
23.7.0-1
23.9.1-1
23.10.0-1
23.10.1-1
23.11.0-1

24.*

24.1.1-1
24.2.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/psf/black

Affected ranges

Type
GIT
Repo
https://github.com/psf/black
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

18.*

18.3a0
18.3a1
18.3a2
18.3a3
18.3a4
18.4a0
18.4a1
18.4a2
18.4a3
18.4a4
18.5b0
18.5b1
18.6b0
18.6b1
18.6b2
18.6b3
18.6b4
18.9b0

19.*

19.10b0
19.3b0

20.*

20.8b0
20.8b1

21.*

21.10b0
21.11b0
21.11b1
21.12b0
21.4b0
21.4b1
21.4b2
21.5b0
21.5b1
21.5b2
21.6b0
21.7b0
21.8b0
21.9b0

22.*

22.1.0
22.10.0
22.12.0
22.3.0
22.6.0
22.8.0

23.*

23.1.0
23.10.0
23.10.1
23.11.0
23.12.0
23.12.1
23.3.0
23.7.0
23.9.0
23.9.1

24.*

24.1.0
24.1.1
24.2.0