VDB

CVE-2020-28493

CVE-2020-28493 PUBLISHED

This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.

EPSS 0.21% · 43.1th percentile

Risk Scores

EPSS Score
0.21%
43.1th percentile

Affected Products

VendorProductVersions
Ubuntu:Pro:16.04:LTSjinja22.8-1ubuntu0.1, 0, 2.8-1
Ubuntu:Pro:14.04:LTSjinja2*, 0, 2.7.1-1
Ubuntu:Pro:18.04:LTSjinja22.9.6-1, 0, 2.10-1
Ubuntu:20.04:LTSjinja20, 2.10-2ubuntu2, 2.10.1-1ubuntu1

Timeline

  • Feb 1, 2021 CVE Published
  • Apr 14, 2021 EPSS Score
  • Jun 23, 2021 EPSS Score
  • Oct 26, 2021 EPSS Score
  • Dec 27, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • May 1, 2022 EPSS Score
  • Jul 3, 2022 EPSS Score
  • Sep 4, 2022 EPSS Score
  • Jan 8, 2023 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›