Medium severity5.3NVD Advisory· Published Feb 1, 2021· Updated Jun 17, 2026
CVE-2020-28493
CVE-2020-28493
Description
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the _punctuation_re regex operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Jinja2PyPI | < 2.11.3 | 2.11.3 |
Affected products
124- jinja2/jinja2description
- ghsa-coords123 versionspkg:pypi/jinja2pkg:rpm/almalinux/babelpkg:rpm/almalinux/python2-attrspkg:rpm/almalinux/python2-babelpkg:rpm/almalinux/python2-backportspkg:rpm/almalinux/python2-backports-ssl_match_hostnamepkg:rpm/almalinux/python2-bsonpkg:rpm/almalinux/python2-chardetpkg:rpm/almalinux/python2-coveragepkg:rpm/almalinux/python2-Cythonpkg:rpm/almalinux/python2-dnspkg:rpm/almalinux/python2-docspkg:rpm/almalinux/python2-docs-infopkg:rpm/almalinux/python2-docutilspkg:rpm/almalinux/python2-funcsigspkg:rpm/almalinux/python2-idnapkg:rpm/almalinux/python2-ipaddresspkg:rpm/almalinux/python2-jinja2pkg:rpm/almalinux/python2-markupsafepkg:rpm/almalinux/python2-mockpkg:rpm/almalinux/python2-nosepkg:rpm/almalinux/python2-numpypkg:rpm/almalinux/python2-numpy-docpkg:rpm/almalinux/python2-numpy-f2pypkg:rpm/almalinux/python2-pluggypkg:rpm/almalinux/python2-psycopg2pkg:rpm/almalinux/python2-psycopg2-debugpkg:rpm/almalinux/python2-psycopg2-testspkg:rpm/almalinux/python2-pypkg:rpm/almalinux/python2-pygmentspkg:rpm/almalinux/python2-pymongopkg:rpm/almalinux/python2-pymongo-gridfspkg:rpm/almalinux/python2-PyMySQLpkg:rpm/almalinux/python2-pysockspkg:rpm/almalinux/python2-pytestpkg:rpm/almalinux/python2-pytest-mockpkg:rpm/almalinux/python2-pytzpkg:rpm/almalinux/python2-pyyamlpkg:rpm/almalinux/python2-requestspkg:rpm/almalinux/python2-rpm-macrospkg:rpm/almalinux/python2-scipypkg:rpm/almalinux/python2-setuptoolspkg:rpm/almalinux/python2-setuptools_scmpkg:rpm/almalinux/python2-setuptools-wheelpkg:rpm/almalinux/python2-sixpkg:rpm/almalinux/python2-sqlalchemypkg:rpm/almalinux/python2-urllib3pkg:rpm/almalinux/python2-virtualenvpkg:rpm/almalinux/python2-wheelpkg:rpm/almalinux/python2-wheel-wheelpkg:rpm/almalinux/python38-asn1cryptopkg:rpm/almalinux/python38-atomicwritespkg:rpm/almalinux/python38-attrspkg:rpm/almalinux/python38-babelpkg:rpm/almalinux/python38-cffipkg:rpm/almalinux/python38-chardetpkg:rpm/almalinux/python38-cryptographypkg:rpm/almalinux/python38-Cythonpkg:rpm/almalinux/python38-idnapkg:rpm/almalinux/python38-jinja2pkg:rpm/almalinux/python38-markupsafepkg:rpm/almalinux/python38-mod_wsgipkg:rpm/almalinux/python38-more-itertoolspkg:rpm/almalinux/python38-numpypkg:rpm/almalinux/python38-numpy-docpkg:rpm/almalinux/python38-numpy-f2pypkg:rpm/almalinux/python38-packagingpkg:rpm/almalinux/python38-pluggypkg:rpm/almalinux/python38-plypkg:rpm/almalinux/python38-psutilpkg:rpm/almalinux/python38-psycopg2pkg:rpm/almalinux/python38-psycopg2-docpkg:rpm/almalinux/python38-psycopg2-testspkg:rpm/almalinux/python38-pypkg:rpm/almalinux/python38-pycparserpkg:rpm/almalinux/python38-PyMySQLpkg:rpm/almalinux/python38-pyparsingpkg:rpm/almalinux/python38-pysockspkg:rpm/almalinux/python38-pytestpkg:rpm/almalinux/python38-pytzpkg:rpm/almalinux/python38-pyyamlpkg:rpm/almalinux/python38-requestspkg:rpm/almalinux/python38-scipypkg:rpm/almalinux/python38-setuptoolspkg:rpm/almalinux/python38-setuptools-wheelpkg:rpm/almalinux/python38-sixpkg:rpm/almalinux/python38-urllib3pkg:rpm/almalinux/python38-wcwidthpkg:rpm/almalinux/python38-wheelpkg:rpm/almalinux/python38-wheel-wheelpkg:rpm/almalinux/python3-jinja2pkg:rpm/almalinux/python-nose-docspkg:rpm/almalinux/python-psycopg2-docpkg:rpm/almalinux/python-sqlalchemy-docpkg:rpm/opensuse/python-Jinja2&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Jinja2&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Jinja2&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Advanced%20Systems%20Management%2012pkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2012pkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%202%2015%20SP2pkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2012%20SP2pkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-CLIENT-TOOLSpkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-CLIENT-TOOLSpkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Server%2011-PUBCLOUDpkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/python-Jinja2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/python-Jinja2&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/python-Jinja2&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/python-Jinja2&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/python-Jinja2&distro=SUSE%20Manager%20Server%204.0pkg:rpm/suse/python-Jinja2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-Jinja2&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Jinja2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Jinja2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Jinja2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 2.11.3+ 122 more
- (no CPE)range: < 2.11.3
- (no CPE)range: < 2.5.1-10.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 17.4.0-10.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.5.1-10.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.0-16.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.5.0.1-12.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.7.0-1.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.0.4-10.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 4.5.1-4.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 0.28.1-7.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.15.0-10.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.7.16-2.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.7.16-2.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 0.14-12.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.0.2-13.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.5-7.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.0.18-6.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.10-9.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 0.23-19.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.0.0-13.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.3.7-31.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1:1.14.2-16.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1:1.14.2-16.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1:1.14.2-16.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 0.6.0-8.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.7.5-7.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.7.5-7.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.7.5-7.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.5.3-6.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.2.0-22.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.7.0-1.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.7.0-1.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 0.8.0-10.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.6.8-6.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.4.2-13.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.9.0-4.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2017.2-12.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.12-16.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.20.0-3.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3-38.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.0.0-21.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 39.0.1-13.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.15.7-6.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 39.0.1-13.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.11.0-6.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.3.2-2.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.24.2-3.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 15.1.0-21.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1:0.31.1-3.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1:0.31.1-3.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.2.0-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.3.0-8.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 19.3.0-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.7.0-11.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.13.2-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 3.0.4-19.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.8-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 0.29.14-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.8-6.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.10.3-5.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.1.1-6.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 4.6.8-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 7.2.0-5.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.17.3-6.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.17.3-6.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.17.3-6.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 19.2-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 0.13.0-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 3.11-10.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 5.6.4-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.8.4-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.8.4-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.8.4-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.8.0-8.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.19-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 0.10.1-1.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.4.5-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.7.1-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 4.6.6-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2019.3-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 5.4.1-1.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.22.0-9.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.3.1-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 41.6.0-5.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 41.6.0-5.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.12.0-10.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.25.7-5.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 0.1.7-16.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 0.33.6-6.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 0.33.6-6.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.10.1-3.el8
- (no CPE)range: < 1.3.7-31.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.7.5-7.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.3.2-2.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.0.1-3.2
- (no CPE)range: < 2.9.6-3.6.1
- (no CPE)range: < 2.10.1-3.10.2
- (no CPE)range: < 2.10.1-3.10.2
- (no CPE)range: < 2.10.1-3.10.2
- (no CPE)range: < 2.10.1-3.10.2
- (no CPE)range: < 2.10.1-3.10.2
- (no CPE)range: < 2.8-19.23.1
- (no CPE)range: < 2.10.1-3.10.2
- (no CPE)range: < 2.8-19.23.1
- (no CPE)range: < 2.10.1-3.10.2
- (no CPE)range: < 2.8-22.11.1
- (no CPE)range: < 2.6-2.19.5.1
- (no CPE)range: < 2.6-2.19.5.1
- (no CPE)range: < 2.6-2.19.5.1
- (no CPE)range: < 2.10.1-3.10.2
- (no CPE)range: < 2.10.1-3.10.2
- (no CPE)range: < 2.10.1-3.10.2
- (no CPE)range: < 2.10.1-3.10.2
- (no CPE)range: < 2.10.1-3.10.2
- (no CPE)range: < 2.8-19.23.1
- (no CPE)range: < 2.10.1-3.10.2
- (no CPE)range: < 2.10.1-3.10.2
- (no CPE)range: < 2.10.1-3.10.2
- (no CPE)range: < 2.8-22.11.1
- (no CPE)range: < 2.9.6-3.6.1
- (no CPE)range: < 2.10.1-3.6.1
- (no CPE)range: < 2.9.6-3.6.1
- (no CPE)range: < 2.10.1-3.6.1
Patches
Vulnerability mechanics
References
10- github.com/pallets/jinja/pull/1343nvdPatchThird Party AdvisoryWEB
- snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994nvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-g3rq-g295-4j3mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28493ghsaADVISORY
- security.gentoo.org/glsa/202107-19nvdThird Party AdvisoryWEB
- github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20nvdBroken LinkWEB
- github.com/pallets/jinja/commit/15ef8f09b659f9100610583938005a7a10472d4dghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2021-66.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/nvd
News mentions
0No linked articles in our index yet.