#VU51776 Resource management error in pygments - CVE-2021-27291

Cybersecurity Help s.r.o.

Published: 2021-03-30

Vulnerability identifier: #VU51776

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-27291

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
pygments
Other software / Other software solutions

Vendor: pygments

Description

The vulnerability allows a remote attacker to perform a denial of service (ReDoS) attack.

The vulnerability exists due to improper management of internal resources within the application. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

pygments: 1.1 - 2.7.3

External links
https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce
https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
https://lists.debian.org/debian-lts-announce/2021/03/msg00024.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)

Multiple vulnerabilities in Dell PowerStore Family

Fedora EPEL 7 update for python3-pygments

Ubuntu update for pygments

SUSE update for python-Pygments

Red Hat Enterprise Linux 8 update for the python27:2.7 module

Red Hat Enterprise Linux 8 update for the python36:3.6 module