CVE-2022-40023

Published: 7 September 2022

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.

Priority

CVSS 3 base score: 7.5

Status

Package	Release	Status
mako Launchpad, Ubuntu, Debian	bionic	Released (1.0.7+ds1-1ubuntu0.2)
	focal	Released (1.1.0+ds1-1ubuntu2.1)
	jammy	Released (1.1.3+ds1-2ubuntu0.1)
	trusty	Ignored (out of standard support)
	upstream	Released (1.2.2+ds1-1)
	xenial	Released (1.0.3+ds1-1ubuntu1+esm1)

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40023
https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c (rel_1_2_2)
https://github.com/sqlalchemy/mako/issues/366
https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c
https://pyup.io/vulnerabilities/CVE-2022-40023/50870/
https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21
https://ubuntu.com/security/notices/USN-5625-1
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Security

CVE-2022-40023

Medium

Status

References

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading