#VU50430 Incorrect Regular Expression in Jinja - CVE-2020-28493

Cybersecurity Help s.r.o.

Published: 2021-02-01 | Updated: 2021-02-09

Vulnerability identifier: #VU50430

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-28493

CWE-ID: CWE-185

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Jinja
Web applications / Modules and components for CMS

Vendor: The Pallets Projects

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect subpattern applied to untrusted input. A remote attacker can pass specially crafted data to the application and perform a regular expression DoS (ReDOS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Jinja: before 2.11.3

External links
https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20
https://github.com/pallets/jinja/pull/1343
https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM QRadar Assistant

Multiple vulnerabilities in Juniper Networks Junos cRPD

Multiple vulnerabilities in Juniper Cloud Native Router

Multiple vulnerabilities in IBM QRadar SIEM

Ubuntu update for jinja2

Multiple vulnerabilities in Red Hat Ansible Automation Platform 2.4

Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)

Ubuntu update for jinja2

Denial of service in IBM Security QRadar Network Threat Analytics

Multiple vulnerabilities in Migration Toolkit for Containers (MTC) 1.7