Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!Close

CVE-2021-27291

Published: 17 March 2021

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

Notes

AuthorNote
avital
eric looks to contain a vendored copy of pygments

Priority

Medium

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
eric
Launchpad, Ubuntu, Debian
impish Ignored
(end of life)
kinetic Ignored
(end of life, was needed)
bionic Needs triage

focal Needs triage

groovy Ignored
(end of life)
hirsute Ignored
(end of life)
trusty Does not exist

upstream Needs triage

xenial Needs triage

jammy Needed

lunar Needed

mantic Needed

pygments
Launchpad, Ubuntu, Debian
impish
Released (2.7.1+dfsg-2ubuntu1)
bionic
Released (2.2.0+dfsg-1ubuntu0.2)
focal
Released (2.3.1+dfsg-1ubuntu2.2)
groovy
Released (2.3.1+dfsg-4ubuntu0.2)
hirsute
Released (2.7.1+dfsg-2ubuntu1)
upstream
Released (2.7.4)
xenial
Released (2.1+dfsg-1ubuntu0.2)
trusty
Released (1.6+dfsg-1ubuntu1.1+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
jammy
Released (2.7.1+dfsg-2ubuntu1)
kinetic
Released (2.7.1+dfsg-2ubuntu1)
lunar
Released (2.7.1+dfsg-2ubuntu1)
mantic
Released (2.7.1+dfsg-2ubuntu1)
Patches:
upstream: https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H