#VU51449 Infinite loop in pygments


Published: 2021-03-14

Vulnerability identifier: #VU51449

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20270

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
pygments
Other software / Other software solutions

Vendor: pygments

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop. A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

pygments: 2.0 - 2.7.3

External links
http://github.com/pygments/pygments/issues/1625
http://github.com/pygments/pygments/commit/f91804ff4772e3ab41f46e28d370f57898700333

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)
Multiple vulnerabilities in Dell PowerStore Family
Fedora EPEL 7 update for python3-pygments
Ubuntu update for pygments
Multiple Vulnerabilities in IBM CloudPak for Watson AIOPs
Red Hat Enterprise Linux 8 update for resource-agents
SUSE update for python-Pygments
Multiple vulnerabilities in Red Hat Ansible Automation Platform
openEuler 20.03 LTS SP1 update for python-pygments
SUSE update for python-Pygments