#VU51449 Infinite loop in pygments - CVE-2021-20270


Vulnerability identifier: #VU51449

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-20270

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
pygments
Other software / Other software solutions

Vendor: pygments

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop. A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

pygments: 2.0 - 2.7.3

External links
https://github.com/pygments/pygments/issues/1625
https://github.com/pygments/pygments/commit/f91804ff4772e3ab41f46e28d370f57898700333

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)
Multiple vulnerabilities in Dell PowerStore Family
Fedora EPEL 7 update for python3-pygments
Ubuntu update for pygments
Multiple Vulnerabilities in IBM CloudPak for Watson AIOPs
Red Hat Enterprise Linux 8 update for the python27:2.7 module
Red Hat Enterprise Linux 8 update for the python36:3.6 module
Red Hat Enterprise Linux 8 update for resource-agents
SUSE update for python-Pygments
Multiple vulnerabilities in Red Hat Ansible Automation Platform