Ubuntu update for pygments

Published: 2021-03-30

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2021-27291
CWE-ID	CWE-399
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Ubuntu Operating systems & Components / Operating system python-pygments (Ubuntu package) Operating systems & Components / Operating system package or component python3-pygments (Ubuntu package) Operating systems & Components / Operating system package or component
Vendor	Canonical Ltd.

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Resource management error

EUVDB-ID: #VU51776

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-27291

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (ReDoS) attack.

The vulnerability exists due to improper management of internal resources within the application. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDoS) attack.

Mitigation

Update the affected package pygments to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 20.10

python-pygments (Ubuntu package): before 2.1+dfsg-1ubuntu0.2

python3-pygments (Ubuntu package): before 2.1+dfsg-1ubuntu0.2

CPE2.3

External links

https://ubuntu.com/security/notices/USN-4897-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.