CVE-2020-28493
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
5.5
Description
RHSA-2021:4162: python38:3.8 and python38-devel:3.8 security update (Moderate)
Predictions
Exploit likelihood
30%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Source: Red Hat Errata โ Red Hat Inc. ยท View original โ ยท Open-Errata-API
Description python-jinja2: ReDoS vulnerability in the urlize filter Red Hat statement This flaw is out of support scope for the following products: * Red Hat Enterprise Linux 6 * Red Hat Enterprise Linux 7 * Red Hat Ceph Storage 2 To learn more about Red Hat Enterprise Linux support scopes, please see https://access.redhat.com/support/policy/updates/errata/ In Red Hat OpenStack Platform, becauseโฆ
Description
python-jinja2: ReDoS vulnerability in the urlize filter
Red Hat statement
This flaw is out of support scope for the following products: * Red Hat Enterprise Linux 6 * Red Hat Enterprise Linux 7 * Red Hat Ceph Storage 2 To learn more about Red Hat Enterprise Linux support scopes, please see https://access.redhat.com/support/policy/updates/errata/ In Red Hat OpenStack Platform, because python-jinja2 is not directly customer exposed, the Impact has been moved to Low and no updated will be provided at this time for the RHOSP python-jinja2 package. Red Hat Quay does not make use of the vulnerable function, so the impact is Low.
CVSS v3: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | python27:2.7-8050020210811095446.3e7ace8b | RHSA-2021:4151 | 2021-11-09T00:00:00Z |
| Red Hat Enterprise Linux 8 | python-jinja2-0:2.10.1-3.el8 | RHSA-2021:4161 | 2021-11-09T00:00:00Z |
| Red Hat Enterprise Linux 8 | python38:3.8-8050020210811101222.e3d35cca | RHSA-2021:4162 | 2021-11-09T00:00:00Z |
| Red Hat Enterprise Linux 8 | python38-devel:3.8-8050020210811101222.e3d35cca | RHSA-2021:4162 | 2021-11-09T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | python27-babel-0:0.9.6-10.el7 | RHSA-2021:3252 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | python27-python-0:2.7.18-3.el7 | RHSA-2021:3252 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | python27-python-jinja2-0:2.6-16.el7 | RHSA-2021:3252 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | python27-python-pygments-0:1.5-5.el7 | RHSA-2021:3252 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-python38-babel-0:2.7.0-12.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-python38-python-0:3.8.11-2.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-python38-python-cryptography-0:2.8-5.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-python38-python-jinja2-0:2.10.3-6.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-python38-python-lxml-0:4.4.1-7.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-python38-python-pip-0:19.3.1-2.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-python38-python-urllib3-0:1.25.7-7.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | python27-babel-0:0.9.6-10.el7 | RHSA-2021:3252 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | python27-python-0:2.7.18-3.el7 | RHSA-2021:3252 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | python27-python-jinja2-0:2.6-16.el7 | RHSA-2021:3252 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | python27-python-pygments-0:1.5-5.el7 | RHSA-2021:3252 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-python38-babel-0:2.7.0-12.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-python38-python-0:3.8.11-2.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-python38-python-cryptography-0:2.8-5.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-python38-python-jinja2-0:2.10.3-6.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-python38-python-lxml-0:4.4.1-7.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-python38-python-pip-0:19.3.1-2.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-python38-python-urllib3-0:1.25.7-7.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Ansible Automation Platform 1.2 | jinja2 | Not affected |
| Red Hat Ansible Automation Platform 1.2 | python-jinja2 | Not affected |
| Red Hat Ansible Tower 3 | jinja2 | Not affected |
| Red Hat Ceph Storage 2 | python-jinja2 | Out of support scope |
| Red Hat Ceph Storage 3 | python-jinja2 | Will not fix |
| Red Hat Enterprise Linux 6 | python-jinja2 | Out of support scope |
| Red Hat Enterprise Linux 7 | python-jinja2 | Out of support scope |
| Red Hat Enterprise Linux 9 | python-jinja2 | Not affected |
| Red Hat OpenStack Platform 13 (Queens) | python-jinja2 | Will not fix |
| Red Hat Quay 3 | quay/quay-rhel8 | Affected |
| Red Hat Satellite 6 | python-jinja2 | Affected |
Apply commands
Apply RHSA-2021:4151 for Red Hat Enterprise Linux 8
yum update -y python27:2
# or:
dnf upgrade -y python27:2Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Ansible Automation Platform 1.2 | Not affected |
| redhat | Red Hat Ansible Automation Platform 1.2 | Not affected |
| redhat | Red Hat Ansible Tower 3 | Not affected |
| redhat | Red Hat Enterprise Linux 9 | Not affected |
| redhat | Red Hat Quay 3 | Affected |
| redhat | Red Hat Satellite 6 | Affected |
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | python3-jinja2-2.10.1-3.el8.noarch.rpm |
Arch Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Fixed | 2.11.3-1 |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.11.3-1 |
| sid | Fixed | 2.11.3-1 |
| forky | Fixed | 2.11.3-1 |
| bullseye | Fixed | 2.11.3-1 |
| bookworm | Fixed | 2.11.3-1 |
Red Hat Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | โ |
Rocky Linux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | โ |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | jinja2 | <2.11.3 | 2.11.3 |
References
- https://security.archlinux.org/ASA-202102-19
- https://nvd.nist.gov/vuln/detail/CVE-2020-28493
- https://github.com/pallets/jinja/pull/1343
- https://github.com/pallets/jinja/commit/15ef8f09b659f9100610583938005a7a10472d4d
- https://github.com/advisories/GHSA-g3rq-g295-4j3m
- https://github.com/pallets/jinja
- https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20
- https://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2021-66.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4
- https://security.gentoo.org/glsa/202107-19
- https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/
- https://www.suse.com/security/cve/CVE-2020-28493.html
- https://errata.rockylinux.org/RLSA-2021:4162
- https://errata.rockylinux.org/RLSA-2021:4161
- https://errata.rockylinux.org/RLSA-2021:4151
- https://security-tracker.debian.org/tracker/CVE-2020-28493
- https://errata.almalinux.org/8/ALSA-2021-4161.html
- https://errata.almalinux.org/8/ALSA-2021-4151.html
- https://errata.almalinux.org/8/ALSA-2021-4162.html
- https://access.redhat.com/errata/RHSA-2021:4151
- https://access.redhat.com/errata/RHSA-2021:4161
- https://access.redhat.com/errata/RHSA-2021:4162
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.