Vulnerability CVE-2021-27291

Vulnerability Name:

CVE-2021-27291 (CCN-198308)

Assigned:

2021-01-11

Published:

2021-01-11

Updated:

2022-05-23

Summary:

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
3.7 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-Other
CWE-400

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2021-27291

Source: XF
Type: UNKNOWN
pygments-cve202127291-dos(198308)

Source: CCN
Type: GitHub Web site
Regular Expression Denial of Service (REDoS) in pygments

Source: MISC
Type: Exploit, Third Party Advisory
https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce

Source: CCN
Type: pygments GIT Repository
pygments

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210319 [SECURITY] [DLA 2600-1] pygments security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210505 [SECURITY] [DLA 2648-1] mediawiki security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210506 [SECURITY] [DLA 2648-2] mediawiki regression update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-166dfc62b2

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-3f975f68c8

Source: DEBIAN
Type: Third Party Advisory
DSA-4878

Source: DEBIAN
Type: Third Party Advisory
DSA-4889

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: IBM Security Bulletin 6856409 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Vulnerable Configuration:

Configuration 1:

cpe:/a:pygments:pygments:*:*:*:*:*:*:*:* (Version >= 1.1 and < 2.7.4)

Configuration 2:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::highavailability:*:*:*:*:*

Configuration RedHat 3:

cpe:/a:redhat:enterprise_linux:8::resilientstorage:*:*:*:*:*

Configuration RedHat 4:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.10.6.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7452	P	blas-devel-3.9.0-150000.4.13.2 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:7496	P	flac-devel-1.3.2-150000.3.11.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:7766	P	python3-Pygments-2.6.1-4.3.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:3533	P	java-1_7_1-ibm-1.7.1_sr4.50-38.41.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3716	P	logrotate-3.11.0-2.14.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3165	P	libdjvulibre21-3.5.25.3-5.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94645	P	libipa_hbac-devel-2.5.2-150400.2.9 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94795	P	python3-Pygments-2.6.1-4.3.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:99767	P	(Important)	2022-03-24
oval:org.opensuse.security:def:100078	P	(Important)	2022-02-18
oval:org.opensuse.security:def:99174	P	(Important)	2021-12-22
oval:org.opensuse.security:def:111145	P	Security update for python-Pygments (Important)	2021-12-03
oval:org.opensuse.security:def:8868	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:92817	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:105864	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:69958	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:64622	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:93273	P	(Important)	2021-12-01
oval:org.opensuse.security:def:9818	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:99163	P	(Important)	2021-12-01
oval:org.opensuse.security:def:106744	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:92224	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:111805	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:68585	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:118341	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:73927	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:815	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:9063	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:106059	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:70318	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:64805	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:93989	P	(Important)	2021-12-01
oval:org.opensuse.security:def:10178	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:100021	P	(Important)	2021-12-01
oval:org.opensuse.security:def:99369	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:108024	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:92419	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:111806	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:69564	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:76401	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:1495	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:9424	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:101358	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:95877	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:106258	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:70509	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:67333	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:10369	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:101546	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:8677	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:99568	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:109256	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:92618	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:105669	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:69759	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:9619	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:102590	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:6244	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:98979	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:106457	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:92029	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:68541	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:117538	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:73744	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:102075	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:20830	P	Security update for python-Pygments (Important)	2021-11-29
oval:org.opensuse.security:def:49301	P	Security update for python-Pygments (Important)	2021-11-29
oval:com.redhat.rhsa:def:20214139	P	RHSA-2021:4139: resource-agents security, bug fix, and enhancement update (Moderate)	2021-11-09
oval:com.redhat.rhsa:def:20214150	P	RHSA-2021:4150: python36:3.6 security and bug fix update (Moderate)	2021-11-09
oval:com.redhat.rhsa:def:20214151	P	RHSA-2021:4151: python27:2.7 security update (Moderate)	2021-11-09

BACK