Vulnerability CVE-2021-20270

Vulnerability Name:

CVE-2021-20270 (CCN-198758)

Assigned:

2020-12-10

Published:

2020-12-10

Updated:

2021-12-10

Summary:

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-835

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2021-20270

Source: CCN
Type: Red Hat Bugzilla - Bug 1922136
(CVE-2021-20270) - CVE-2021-20270 python-pygments: infinite loop in SML lexer may lead to DoS

Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1922136

Source: XF
Type: UNKNOWN
pygments-cve202120270-dos(198758)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210505 [SECURITY] [DLA 2648-1] mediawiki security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210506 [SECURITY] [DLA 2648-2] mediawiki regression update

Source: CCN
Type: Pygments Web site
Pygments

Source: DEBIAN
Type: Third Party Advisory
DSA-4889

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: IBM Security Bulletin 6831849 (Cloud Pak for Watson AIOps)
Multiple Vulnerabilities in CloudPak for Watson AIOPs

Source: CCN
Type: IBM Security Bulletin 6856409 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Source: MISC
Type: Not Applicable, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-20270

Vulnerable Configuration:

Configuration 1:

cpe:/a:pygments:pygments:*:*:*:*:*:*:*:* (Version >= 1.5 and <= 2.7.3)

Configuration 2:

cpe:/a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*

OR cpe:/a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*

OR cpe:/a:redhat:openstack_platform:10.0:*:*:*:*:*:*:*

OR cpe:/a:redhat:software_collections:-:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Configuration 4:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::highavailability:*:*:*:*:*

Configuration RedHat 3:

cpe:/a:redhat:enterprise_linux:8::resilientstorage:*:*:*:*:*

Configuration RedHat 4:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.10.6.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7462	P	cifs-utils-6.15-150400.3.9.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:7766	P	python3-Pygments-2.6.1-4.3.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:3505	P	gnome-shell-3.20.4-77.23.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3165	P	libdjvulibre21-3.5.25.3-5.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94795	P	python3-Pygments-2.6.1-4.3.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94617	P	libXtst-devel-1.2.3-1.24 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95227	P	xwayland-21.1.4-150400.1.12 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:281	P	python3-Pygments-2.6.1-2.1 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:6005	P	Security update for qemu (Moderate)	2022-04-11
oval:org.opensuse.security:def:100060	P	(Moderate)	2022-04-01
oval:org.opensuse.security:def:99749	P	(Moderate)	2022-02-18
oval:org.opensuse.security:def:101940	P	Security update for the Linux Kernel (Live Patch 9 for SLE 15 SP3) (Important)	2021-12-14
oval:com.redhat.rhsa:def:20214139	P	RHSA-2021:4139: resource-agents security, bug fix, and enhancement update (Moderate)	2021-11-09
oval:com.redhat.rhsa:def:20214150	P	RHSA-2021:4150: python36:3.6 security and bug fix update (Moderate)	2021-11-09
oval:com.redhat.rhsa:def:20214151	P	RHSA-2021:4151: python27:2.7 security update (Moderate)	2021-11-09
oval:org.opensuse.security:def:111102	P	Security update for python-Pygments (Important)	2021-10-31
oval:org.opensuse.security:def:99156	P	(Moderate)	2021-10-27
oval:org.opensuse.security:def:8850	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:99351	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:92600	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:106041	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:69741	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:9800	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:101330	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:107996	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:92011	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:73716	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:9045	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:99550	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:92799	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:106240	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:69940	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:64594	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:117510	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:98961	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:92206	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:105651	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:106439	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:10351	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:92401	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:105846	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:9601	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:106726	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:70491	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:1210	P	python3-Pygments-2.6.1-2.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62299	P	python3-Pygments-2.6.1-2.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72040	P	python3-Pygments-2.6.1-2.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101057	P	python3-Pygments-2.6.1-2.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:96929	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:7417	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:95842	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:68506	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:10074	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:108606	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:68551	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:75836	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:1461	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:9320	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:5679	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:70214	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:66768	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:118306	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:102555	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:8575	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:109221	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:69460	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:76162	P	Security update for python-Pygments (Important)	2021-05-04
oval:org.opensuse.security:def:67094	P	Security update for python-Pygments (Important)	2021-05-04

BACK