CVE-2022-40023

Published: 7 September 2022

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.

Priority

CVSS 3 base score: 7.5

Status

Package	Release	Status
mako Launchpad, Ubuntu, Debian	bionic	Released (1.0.7+ds1-1ubuntu0.2)
	focal	Released (1.1.0+ds1-1ubuntu2.1)
	jammy	Released (1.1.3+ds1-2ubuntu0.1)
	kinetic	Released (1.1.3+ds1-3ubuntu2.1)
	trusty	Ignored (out of standard support)
	upstream	Released (1.2.2+ds1-1, 1.2.2)
	xenial	Released (1.0.3+ds1-1ubuntu1+esm1)
	Patches: upstream: https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40023
https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c (rel_1_2_2)
https://github.com/sqlalchemy/mako/issues/366
https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c
https://pyup.io/vulnerabilities/CVE-2022-40023/50870/
https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21
https://ubuntu.com/security/notices/USN-5625-1
https://ubuntu.com/security/notices/USN-5625-2
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›