{"containers": {"cna": {"affected": [{"product": "python-pygments", "vendor": "n/a", "versions": [{"status": "affected", "version": "python-pygments 2.7.4"}]}], "descriptions": [{"lang": "en", "value": "An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the \"exception\" keyword."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-835", "description": "CWE-835", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-20T10:40:34", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1922136"}, {"name": "DSA-4889", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4889"}, {"name": "[debian-lts-announce] 20210505 [SECURITY] [DLA 2648-1] mediawiki security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html"}, {"name": "[debian-lts-announce] 20210506 [SECURITY] [DLA 2648-2] mediawiki regression update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2021-20270", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "python-pygments", "version": {"version_data": [{"version_value": "python-pygments 2.7.4"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the \"exception\" keyword."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-835"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1922136", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1922136"}, {"name": "DSA-4889", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4889"}, {"name": "[debian-lts-announce] 20210505 [SECURITY] [DLA 2648-1] mediawiki security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html"}, {"name": "[debian-lts-announce] 20210506 [SECURITY] [DLA 2648-2] mediawiki regression update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:37:23.034Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1922136"}, {"name": "DSA-4889", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4889"}, {"name": "[debian-lts-announce] 20210505 [SECURITY] [DLA 2648-1] mediawiki security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html"}, {"name": "[debian-lts-announce] 20210506 [SECURITY] [DLA 2648-2] mediawiki regression update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-20270", "datePublished": "2021-03-23T16:40:22", "dateReserved": "2020-12-17T00:00:00", "dateUpdated": "2024-08-03T17:37:23.034Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pygments:pygments:*:*:*:*:*:*:*:*", "matchCriteriaId": "EDBA76D7-FE9C-4C7F-9926-36D6A26F9713", "versionEndIncluding": "2.7.3", "versionStartIncluding": "1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*", "matchCriteriaId": "2F87326E-0B56-4356-A889-73D026DB1D4B", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "542B31BD-5767-4B33-9201-40548D1223B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*", "matchCriteriaId": "749804DA-4B27-492A-9ABA-6BB562A6B3AC", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the \"exception\" keyword."}, {"lang": "es", "value": "Un bucle infinito en SMLLexer en Pygments versiones 1.5 hasta 2.7.3, puede conllevar a una denegaci\u00f3n de servicio cuando se lleva a cabo el resaltado de sintaxis de un archivo fuente de Standard ML (SML), como es demostrado por la entrada que solo contiene la palabra clave \"exception\""}], "id": "CVE-2021-20270", "lastModified": "2024-11-21T05:46:15.097", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-23T17:15:13.827", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1922136"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4889"}, {"source": "secalert@redhat.com", "tags": ["Not Applicable", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1922136"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4889"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Not Applicable", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-835"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "automation-hub-0:4.2.2-1.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python3-django-0:2.2.18-1.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python-bleach-0:3.3.0-1.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python-bleach-allowlist-0:1.0.3-1.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python-galaxy-importer-0:0.2.15-1.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python-galaxy-ng-0:4.2.2-1.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python-pulp-ansible-1:0.5.6-1.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "automation-hub-0:4.2.2-1.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python3-django-0:2.2.18-1.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python-bleach-0:3.3.0-1.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python-bleach-allowlist-0:1.0.3-1.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python-galaxy-importer-0:0.2.15-1.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python-galaxy-ng-0:4.2.2-1.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python-pulp-ansible-1:0.5.6-1.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:4150", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python36:3.6-8050020210811103506.982725ab", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4151", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python27:2.7-8050020210811095446.3e7ace8b", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4139", "cpe": "cpe:/a:redhat:enterprise_linux:8::highavailability", "package": "resource-agents-0:4.1.1-98.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:3252", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-babel-0:0.9.6-10.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3252", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-0:2.7.18-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3252", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-jinja2-0:2.6-16.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3252", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-pygments-0:1.5-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3252", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-babel-0:0.9.6-10.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3252", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-0:2.7.18-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3252", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-jinja2-0:2.6-16.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3252", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-pygments-0:1.5-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}], "bugzilla": {"description": "python-pygments: Infinite loop in SML lexer may lead to DoS", "id": "1922136", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1922136"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-835", "details": ["An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the \"exception\" keyword.", "An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the \"exception\" keyword."], "name": "CVE-2021-20270", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "python-pygments", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "python-pygments", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "resource-agents", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python-pygments", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Fix deferred", "impact": "low", "package_name": "google-cloud-sdk", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Out of support scope", "package_name": "google-cloud-sdk", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "python-pygments", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}], "public_date": "2020-12-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-20270\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-20270"], "statement": "In OpenShift Container Platform 3.11, the vulnerable version of python-pygments is embedded in the google-cloud-sdk package, which is shipped in the openshift-ansible container (aos3-installation-container). As the access to the openshift-ansible container is restricted only to cluster administrators, this component is affected but with a Low impact. The google-cloud-sdk package was shipped in OpenShift Container Platform 4.1, which is End of Life.", "threat_severity": "Moderate"}