PYSEC-2022-260 — Vulnetix

PYSEC-2022-260 PUBLISHED CVSS 8.699999809265137 HIGH

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.

Risk Scores

CVSS v4.0

8.699999809265137

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
PyPI	mako	0, 0, 0.1.1

Timeline

Sep 7, 2022 CVE Published
Nov 8, 2023 CVE Updated

References

https://pyup.io/vulnerabilities/CVE-2022-40023/50870/ url
https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21 url
https://github.com/advisories/GHSA-v973-fxgf-6xhp advisory
https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c fix
https://github.com/sqlalchemy/mako/issues/366 discussion

Open in Interactive Console →