製品・ソフトウェアに関する情報

JVN脆弱性詳細

Pygments における無限ループに関する脆弱性

Title	Pygments における無限ループに関する脆弱性
Summary	Pygments には、無限ループに関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Jan. 29, 2021, midnight
Registration Date	Nov. 26, 2021, 2:53 p.m.
Last Update	Nov. 26, 2021, 2:53 p.m.

Affected System

レッドハット

Red Hat Enterprise Linux

Red Hat OpenShift Container Platform

Red Hat OpenStack Platform

Red Hat Software Collections

Fedora Project

Fedora

Pygments

Pygments 1.5 から 2.7.3

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-20270	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20270
National Vulnerability Database (NVD)
2	CVE-2021-20270	https://nvd.nist.gov/vuln/detail/CVE-2021-20270

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-835	https://cwe.mitre.org/data/definitions/835.html

ベンダー情報

No	Name	URL
Fedora Update Notification
1	Top Page	https://lists.fedoraproject.org/
Pygments
2	Top Page	https://pygments.org/
Red Hat Bugzilla
3	Bug 1922136	https://bugzilla.redhat.com/show_bug.cgi?id=1922136

Change Log

No	Changed Details	Date of change
1	[2021年11月26日] 掲載	Nov. 26, 2021, 2:53 p.m.

NVD Vulnerability Information

CVE-2021-20270

Summary	An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.
Publication Date	March 24, 2021, 2:15 a.m.
Registration Date	March 24, 2021, 10:01 a.m.
Last Update	Nov. 21, 2024, 2:46 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:pygments:pygments::::::::		1.5	2.7.3

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
cpe:2.3:a:redhat:openshift_container_platform:3.11:::::::*
cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
cpe:2.3:a:redhat:software_collections:-:::::::*
cpe:2.3:a:redhat:openshift_container_platform:4.0:::::::*
cpe:2.3:a:redhat:openstack_platform:10.0:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:33:::::::*

Related information, measures and tools

No	URL	タグ
1	https://bugzilla.redhat.com/show_bug.cgi?id=1922136	Issue Tracking Patch Third Party Advisory
2	https://bugzilla.redhat.com/show_bug.cgi?id=1922136	Issue Tracking Patch Third Party Advisory
3	https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html	Mailing List Third Party Advisory
4	https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html	Mailing List Third Party Advisory
5	https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html	Mailing List Third Party Advisory
6	https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html	Mailing List Third Party Advisory
7	https://www.debian.org/security/2021/dsa-4889	Third Party Advisory
8	https://www.debian.org/security/2021/dsa-4889	Third Party Advisory
9	https://www.oracle.com/security-alerts/cpuoct2021.html	Not Applicable Third Party Advisory
10	https://www.oracle.com/security-alerts/cpuoct2021.html	Not Applicable Third Party Advisory

Common Vulnerabilities List

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
cpe:2.3:a:redhat:openshift_container_platform:3.11:::::::*
cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
cpe:2.3:a:redhat:software_collections:-:::::::*
cpe:2.3:a:redhat:openshift_container_platform:4.0:::::::*
cpe:2.3:a:redhat:openstack_platform:10.0:::::::*