search

crouchr / learnage

0 stars 0 forks source link

CVE-2021-20270 (High) detected in Pygments-2.5.2-py2.py3-none-any.whl - autoclosed #193

Closed mend-bolt-for-github[bot] closed 2 years ago

mend-bolt-for-github[bot] commented 3 years ago

CVE-2021-20270 - High Severity Vulnerability

Vulnerable Library - Pygments-2.5.2-py2.py3-none-any.whl

Pygments is a syntax highlighting package written in Python.

Library home page: https://files.pythonhosted.org/packages/be/39/32da3184734730c0e4d3fa3b2b5872104668ad6dc1b5a73d8e477e5fe967/Pygments-2.5.2-py2.py3-none-any.whl

Path to dependency file: learnage/environments/production/web-server/apache/br2020-packages/zeek-3.0.6.tar/zeek-3.0.6/aux/zeekctl/aux/capstats

Path to vulnerable library: learnage/environments/production/web-server/apache/br2020-packages/zeek-3.0.6.tar/zeek-3.0.6/aux/zeekctl/aux/capstats,learnage/blackrain2020/original-sources-3rd-party/MySQL-python-1.2.3c1.tar/MySQL-python-1.2.3c1/ez,learnage/blackrain2020/original-sources-3rd-party/libemu-0.2.0.tar/libemu-0.2.0/bindings/python,learnage/blackrain2020/original-sources-3rd-party/MySQL-python-1.2.3c1.tar/MySQL-python-1.2.3c1,learnage/blackrain2020/original-sources-3rd-party/Pyrex-0.9.9.tar/Pyrex-0.9.9/Pyrex/Mac,learnage/environments/production/web-server/apache/br2020-packages/zeek-3.0.6.tar/zeek-3.0.6/aux/zeekctl/aux/trace-summary,learnage/environments/production/web-server/apache/br2020-packages/bro-1.5-release.tar/bro-1.5.1/aux/broccoli/bindings/python,learnage/environments/production/web-server/apache/br2020-packages/zeek-3.0.6.tar/zeek-3.0.6/aux/zeekctl,learnage/environments/production/web-server/apache/br2020-packages/zeek-3.0.6.tar/zeek-3.0.6/aux/zeekctl/aux/pysubnettree/testing/Scripts/tes,learnage/blackrain2020/original-sources-3rd-party/honeysnap-1.0.7.tar/honeysnap-1.0.7,learnage/environments/production/web-server/apache/br2020-packages/zeek-3.0.6.tar/zeek-3.0.6/aux/broker/bindings/python/3rdparty/pybind11/docs/requirements.txt,learnage/blackrain2020/original-sources-3rd-party/honeysnap-1.0.7.tar/honeysnap-1.0.7/ez,learnage/environments/production/web-server/apache/br2020-packages/zeek-3.0.6.tar/zeek-3.0.6/aux/binpac,learnage/environments/production/web-server/apache/br2020-packages/zeek-3.0.6.tar/zeek-3.0.6/doc/requirements.txt,learnage/environments/production/web-server/apache/br2020-packages/zeek-3.0.6.tar/zeek-3.0.6/aux/broker/docs/requirements.txt

Dependency Hierarchy: - Sphinx-1.8.5-py2.py3-none-any.whl (Root Library) - :x: **Pygments-2.5.2-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: a5f2b4a6eb346dbe0def97e83877b169dc4b8f8c

Found in base branch: master

Vulnerability Details

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

Publish Date: 2021-03-23

URL: CVE-2021-20270

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-9w8r-397f-prfh

Release Date: 2021-03-23

Fix Resolution: Pygments - 20.12.3

Step up your Open Source Security Game with WhiteSource here

mend-bolt-for-github[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.