High severityNVD Advisory· Published Mar 17, 2021· Updated Aug 3, 2024
CVE-2021-27291
CVE-2021-27291
Description
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PygmentsPyPI | >= 1.1, < 2.7.4 | 2.7.4 |
Affected products
95- pygments/pygmentsdescription
- ghsa-coords94 versionspkg:pypi/pygmentspkg:rpm/almalinux/babelpkg:rpm/almalinux/python2-attrspkg:rpm/almalinux/python2-babelpkg:rpm/almalinux/python2-backportspkg:rpm/almalinux/python2-backports-ssl_match_hostnamepkg:rpm/almalinux/python2-bsonpkg:rpm/almalinux/python2-chardetpkg:rpm/almalinux/python2-coveragepkg:rpm/almalinux/python2-Cythonpkg:rpm/almalinux/python2-dnspkg:rpm/almalinux/python2-docspkg:rpm/almalinux/python2-docs-infopkg:rpm/almalinux/python2-docutilspkg:rpm/almalinux/python2-funcsigspkg:rpm/almalinux/python2-idnapkg:rpm/almalinux/python2-ipaddresspkg:rpm/almalinux/python2-jinja2pkg:rpm/almalinux/python2-markupsafepkg:rpm/almalinux/python2-mockpkg:rpm/almalinux/python2-nosepkg:rpm/almalinux/python2-numpypkg:rpm/almalinux/python2-numpy-docpkg:rpm/almalinux/python2-numpy-f2pypkg:rpm/almalinux/python2-pluggypkg:rpm/almalinux/python2-psycopg2pkg:rpm/almalinux/python2-psycopg2-debugpkg:rpm/almalinux/python2-psycopg2-testspkg:rpm/almalinux/python2-pypkg:rpm/almalinux/python2-pygmentspkg:rpm/almalinux/python2-pymongopkg:rpm/almalinux/python2-pymongo-gridfspkg:rpm/almalinux/python2-PyMySQLpkg:rpm/almalinux/python2-pysockspkg:rpm/almalinux/python2-pytestpkg:rpm/almalinux/python2-pytest-mockpkg:rpm/almalinux/python2-pytzpkg:rpm/almalinux/python2-pyyamlpkg:rpm/almalinux/python2-requestspkg:rpm/almalinux/python2-rpm-macrospkg:rpm/almalinux/python2-scipypkg:rpm/almalinux/python2-setuptoolspkg:rpm/almalinux/python2-setuptools_scmpkg:rpm/almalinux/python2-setuptools-wheelpkg:rpm/almalinux/python2-sixpkg:rpm/almalinux/python2-sqlalchemypkg:rpm/almalinux/python2-urllib3pkg:rpm/almalinux/python2-virtualenvpkg:rpm/almalinux/python2-wheelpkg:rpm/almalinux/python2-wheel-wheelpkg:rpm/almalinux/python36pkg:rpm/almalinux/python36-debugpkg:rpm/almalinux/python36-develpkg:rpm/almalinux/python36-rpm-macrospkg:rpm/almalinux/python3-bsonpkg:rpm/almalinux/python3-distropkg:rpm/almalinux/python3-docspkg:rpm/almalinux/python3-docutilspkg:rpm/almalinux/python3-nosepkg:rpm/almalinux/python3-pygmentspkg:rpm/almalinux/python3-pymongopkg:rpm/almalinux/python3-pymongo-gridfspkg:rpm/almalinux/python3-PyMySQLpkg:rpm/almalinux/python3-scipypkg:rpm/almalinux/python3-sqlalchemypkg:rpm/almalinux/python3-virtualenvpkg:rpm/almalinux/python3-wheelpkg:rpm/almalinux/python3-wheel-wheelpkg:rpm/almalinux/python-nose-docspkg:rpm/almalinux/python-psycopg2-docpkg:rpm/almalinux/python-pymongo-docpkg:rpm/almalinux/python-sqlalchemy-docpkg:rpm/almalinux/python-virtualenv-docpkg:rpm/almalinux/resource-agentspkg:rpm/almalinux/resource-agents-aliyunpkg:rpm/almalinux/resource-agents-gcppkg:rpm/almalinux/resource-agents-pafpkg:rpm/opensuse/python-Pygments&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/python-Pygments&distro=openSUSE%20Leap%2015.3pkg:rpm/suse/python-Pygments&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/python-Pygments&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/python-Pygments&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/python-Pygments&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/python-Pygments&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/python-Pygments&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/python-Pygments&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/python-Pygments&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP2pkg:rpm/suse/python-Pygments&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/python-Pygments&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2012pkg:rpm/suse/python-Pygments&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/python-Pygments&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/python-Pygments&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/python-Pygments&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/python-Pygments&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1
>= 1.1, < 2.7.4+ 93 more
- (no CPE)range: >= 1.1, < 2.7.4
- (no CPE)range: < 2.5.1-10.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 17.4.0-10.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.5.1-10.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.0-16.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.5.0.1-12.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.7.0-1.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.0.4-10.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 4.5.1-4.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 0.28.1-7.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.15.0-10.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.7.16-2.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.7.16-2.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 0.14-12.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.0.2-13.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.5-7.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.0.18-6.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.10-9.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 0.23-19.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.0.0-13.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.3.7-31.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1:1.14.2-16.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1:1.14.2-16.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1:1.14.2-16.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 0.6.0-8.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.7.5-7.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.7.5-7.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.7.5-7.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.5.3-6.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.2.0-22.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.7.0-1.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.7.0-1.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 0.8.0-10.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.6.8-6.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.4.2-13.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.9.0-4.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2017.2-12.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.12-16.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.20.0-3.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3-38.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.0.0-21.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 39.0.1-13.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.15.7-6.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 39.0.1-13.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.11.0-6.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.3.2-2.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1.24.2-3.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 15.1.0-21.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1:0.31.1-3.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 1:0.31.1-3.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.6.8-38.module_el8.5.0+135+5ce32bc4
- (no CPE)range: < 3.6.8-38.module_el8.5.0+2569+5c5719bc
- (no CPE)range: < 3.6.8-38.module_el8.5.0+2569+5c5719bc
- (no CPE)range: < 3.6.8-38.module_el8.5.0+135+5ce32bc4
- (no CPE)range: < 3.7.0-1.module_el8.5.0+135+5ce32bc4
- (no CPE)range: < 1.4.0-2.module_el8.5.0+135+5ce32bc4
- (no CPE)range: < 3.6.7-2.module_el8.5.0+2569+5c5719bc
- (no CPE)range: < 0.14-12.module_el8.5.0+2569+5c5719bc
- (no CPE)range: < 1.3.7-31.module_el8.5.0+2569+5c5719bc
- (no CPE)range: < 2.2.0-22.module_el8.5.0+2569+5c5719bc
- (no CPE)range: < 3.7.0-1.module_el8.5.0+135+5ce32bc4
- (no CPE)range: < 3.7.0-1.module_el8.5.0+2569+5c5719bc
- (no CPE)range: < 0.10.1-2.module_el8.5.0+2569+5c5719bc
- (no CPE)range: < 1.0.0-21.module_el8.5.0+135+5ce32bc4
- (no CPE)range: < 1.3.2-2.module_el8.5.0+2569+5c5719bc
- (no CPE)range: < 15.1.0-21.module_el8.5.0+135+5ce32bc4
- (no CPE)range: < 1:0.31.1-3.module_el8.5.0+2569+5c5719bc
- (no CPE)range: < 1:0.31.1-3.module_el8.5.0+2569+5c5719bc
- (no CPE)range: < 1.3.7-31.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 2.7.5-7.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 3.7.0-1.module_el8.5.0+135+5ce32bc4
- (no CPE)range: < 1.3.2-2.module_el8.6.0+2781+fed64c13
- (no CPE)range: < 15.1.0-21.module_el8.5.0+2569+5c5719bc
- (no CPE)range: < 4.1.1-98.el8
- (no CPE)range: < 4.1.1-98.el8
- (no CPE)range: < 4.1.1-98.el8
- (no CPE)range: < 4.1.1-98.el8
- (no CPE)range: < 2.6.1-lp152.5.12.1
- (no CPE)range: < 2.6.1-4.3.1
- (no CPE)range: < 2.6.1-7.10.1
- (no CPE)range: < 2.6.1-7.10.1
- (no CPE)range: < 2.6.1-7.10.1
- (no CPE)range: < 2.2.0-4.9.1
- (no CPE)range: < 2.2.0-4.9.1
- (no CPE)range: < 2.6.1-7.10.1
- (no CPE)range: < 2.6.1-4.3.1
- (no CPE)range: < 2.2.0-4.9.1
- (no CPE)range: < 2.2.0-4.9.1
- (no CPE)range: < 2.4.2-10.7.1
- (no CPE)range: < 2.6.1-7.10.1
- (no CPE)range: < 2.6.1-7.10.1
- (no CPE)range: < 2.2.0-4.9.1
- (no CPE)range: < 2.2.0-4.9.1
- (no CPE)range: < 2.6.1-7.10.1
Patches
Vulnerability mechanics
References
14- github.com/advisories/GHSA-pq64-v7f5-gqh8ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSJRFHALQ7E3UV4FFMFU2YQ6LUDHAI55/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSLD67LFGXOX2K5YNESSWAS4AGZIJTUQ/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-27291ghsaADVISORY
- www.debian.org/security/2021/dsa-4878ghsavendor-advisoryx_refsource_DEBIANWEB
- www.debian.org/security/2021/dsa-4889ghsavendor-advisoryx_refsource_DEBIANWEB
- gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ceghsax_refsource_MISCWEB
- github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/pygments/PYSEC-2021-141.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2021/03/msg00024.htmlghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2021/05/msg00003.htmlghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2021/05/msg00006.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSJRFHALQ7E3UV4FFMFU2YQ6LUDHAI55ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSLD67LFGXOX2K5YNESSWAS4AGZIJTUQghsaWEB
News mentions
0No linked articles in our index yet.