#VU51776 Resource management error in pygments


Published: 2021-03-30

Vulnerability identifier: #VU51776

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-27291

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
pygments
Other software / Other software solutions

Vendor: pygments

Description

The vulnerability allows a remote attacker to perform a denial of service (ReDoS) attack.

The vulnerability exists due to improper management of internal resources within the application. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

pygments: 1.1 - 2.7.3

External links
http://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce
http://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
http://lists.debian.org/debian-lts-announce/2021/03/msg00024.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)
Multiple vulnerabilities in Dell PowerStore Family
Fedora EPEL 7 update for python3-pygments
Ubuntu update for pygments
SUSE update for python-Pygments
SUSE update for python-Pygments
SUSE update for python-Pygments
SUSE update for python-Pygments
Red Hat Enterprise Linux 8 update for resource-agents
Multiple vulnerabilities in Red Hat Ansible Automation Platform