GHSA-pq64-v7f5-gqh8

Source

https://github.com/advisories/GHSA-pq64-v7f5-gqh8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-pq64-v7f5-gqh8/GHSA-pq64-v7f5-gqh8.json

Aliases

CVE-2021-27291
PYSEC-2021-141

Published

2021-03-29T16:33:03Z

Modified

2024-02-22T05:36:41.170318Z

Details

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

References

https://nvd.nist.gov/vuln/detail/CVE-2021-27291
https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce
https://github.com/pygments/pygments
https://lists.debian.org/debian-lts-announce/2021/03/msg00024.html
https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html
https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSJRFHALQ7E3UV4FFMFU2YQ6LUDHAI55
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSLD67LFGXOX2K5YNESSWAS4AGZIJTUQ
https://www.debian.org/security/2021/dsa-4878
https://www.debian.org/security/2021/dsa-4889

Affected packages

PyPI / pygments

Package

Name: pygments

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.1

Fixed

2.7.4

Affected versions

1.*

1.1

1.1.1

1.2

1.2.1

1.2.2

1.3

1.3.1

1.4

1.5

1.6rc1

1.6

2.*

2.0rc1

2.0

2.0.1

2.0.2

2.1

2.1.1

2.1.2

2.1.3

2.2.0

2.3.0

2.3.1

2.4.0

2.4.1

2.4.2

2.5.1

2.5.2

2.6.0

2.6.1

2.7.0

2.7.1

2.7.2

2.7.3