VDB
CVE-2020-28493
CVE-2020-28493
PUBLISHED
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
EPSS 0.21% · 43.1th percentile
Risk Scores
EPSS Score
0.21%
43.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:16.04:LTS | jinja2 | 2.8-1ubuntu0.1, 0, 2.8-1 |
| Ubuntu:Pro:14.04:LTS | jinja2 | *, 0, 2.7.1-1 |
| Ubuntu:Pro:18.04:LTS | jinja2 | 2.9.6-1, 0, 2.10-1 |
| Ubuntu:20.04:LTS | jinja2 | 0, 2.10-2ubuntu2, 2.10.1-1ubuntu1 |
Timeline
- Feb 1, 2021 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-28493 third-party-advisory
- https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20 third-party-advisory
- https://github.com/pallets/jinja/pull/1343 third-party-advisory
- https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994 third-party-advisory
- https://github.com/yetingli/PoCs/tree/main/CVE-2020-28493 third-party-advisory
- https://ubuntu.com/security/notices/USN-5701-1 vendor-advisory
- https://ubuntu.com/security/notices/USN-6599-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-28493 third-party-advisory
- Multiples vulnérabilités dans les produits IBM advisory