CVE-2020-28493
ReDoS vulnerability in jinja2 (PyPI)
What is CVE-2020-28493 About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in the `jinja2` package, primarily due to the inefficient `_punctuation_re` regex operator. An attacker can craft a malicious input that causes the regex to consume excessive processing time, leading to a denial of service. Exploitation is relatively easy for an attacker capable of providing input to the affected component.
Affected Software
Technical Details
The jinja2 package, specifically versions from 0.0.0 and before 2.11.3, is susceptible to a ReDoS vulnerability. The core of this issue lies within the _punctuation_re regular expression, which utilizes multiple wildcards. The most problematic wildcard is the final one, designed to search for trailing punctuation. An attacker can supply a specially crafted input string that triggers a worst-case exponential or polynomial time complexity in the regex engine. This leads to the regex engine backtracking excessively, consuming significant CPU resources and causing the application to become unresponsive, effectively creating a denial of service condition.
What is the Impact of CVE-2020-28493?
Successful exploitation may allow attackers to cause the affected application to become unresponsive or crash, leading to a denial of service for legitimate users.
What is the Exploitability of CVE-2020-28493?
Exploitation is of medium complexity, requiring an attacker to be able to provide malicious input to a jinja2 template that utilizes the vulnerable regex. No specific authentication or privilege requirements are detailed, indicating that if the input mechanism is accessible to unauthenticated users, the attack can be launched remotely. The primary prerequisite is the ability to inject a string that will be processed by the _punctuation_re regex. The presence of user-controlled content being formatted by the urlize filter increases the likelihood of exploitation. Mitigations include using Markdown for user content or implementing request timeouts to reduce the impact.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-28493?
About the Fix from Resolved Security
The patch refactors the URL and email detection logic in the Jinja2 urlize function to remove inefficient regular expressions that caused excessive backtracking, replacing them with simpler, more targeted regex patterns and stepwise string checks. This change mitigates the regular expression denial of service (ReDoS) vulnerability described in CVE-2020-28493 by ensuring that crafted input cannot trigger exponential runtime in urlize, thereby preventing server resource exhaustion.
Available Upgrade Options
- jinja2
- <2.11.3 → Upgrade to 2.11.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20
- https://github.com/pallets/jinja/commit/15ef8f09b659f9100610583938005a7a10472d4d
- https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
- https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
- https://github.com/pallets/jinja/pull/1343
- https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/
- https://github.com/pallets/jinja
- https://github.com/pallets/jinja/pull/1343
What are Similar Vulnerabilities to CVE-2020-28493?
Similar Vulnerabilities: CVE-2021-38299 , CVE-2021-32640 , CVE-2021-27905 , CVE-2020-16165 , CVE-2020-28169
