Bug 1928707 (CVE-2020-28493)

Summary: CVE-2020-28493 python-jinja2: ReDoS vulnerability in the urlize filter
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, anharris, apevec, bbuckingham, bcourt, bdettelb, bkearney, bniver, btotty, chousekn, cmeyers, davidn, flucifre, gblomqui, gmeno, hhorak, hhudgeon, hvyas, jhardy, jjoyce, jorton, jschluet, lewk, lhh, lpeer, lzap, mabashia, manisandro, mbenjamin, mburns, mhackett, mmccune, nmoumoul, notting, orion, osapryki, pcreech, pj.pandit, python-maint, rchan, rjerrido, sclewis, slinaber, smcdonal, sokeeffe, sostapov, thomas.moschny, tomckay, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jinja2 2.11.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-jinja2. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-24 15:34:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1928708, 1928709, 1929005, 1929006, 1929007, 1929013, 1929014, 1929430, 1929473, 1930921, 1969382, 1969516, 2258834    
Bug Blocks: 1928710    

Description Marian Rehak 2021-02-15 12:23:09 UTC 
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.

Upstream Reference:

https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py#L20
https://github.com/pallets/jinja/pull/1343
Comment 1 Marian Rehak 2021-02-15 12:24:01 UTC 
Created mingw-python-jinja2 tracking bugs for this issue:

Affects: fedora-33 [bug 1928709]


Created python-jinja2 tracking bugs for this issue:

Affects: fedora-all [bug 1928708]
Comment 2 Todd Cullum 2021-02-15 21:50:51 UTC 
Flaw summary:

The flaw is in the `urlize()` builtin filter[1] of jinja2. As part of its business logic, the filter uses regex pattern `[a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+`, as well as backtracking, making it susceptible to a ReDoS attack when it processes crafted input from an attacker. See [2] for the specific changes on the upstream patch. urlize() "Converts URLs in plain text into clickable links."

1. https://jinja.palletsprojects.com/en/2.11.x/templates/?highlight=urlize#urlize
2. https://github.com/pallets/jinja/pull/1343/commits/ef658dc3b6389b091d608e710a810ce8b87995b3
Comment 7 Todd Cullum 2021-02-16 01:22:43 UTC 
Mitigation:

If using the jinja2 library as a developer, this flaw can be mitigated by not using the vulnerable urlize() filter, and instead, using Markdown to format user content.
Comment 14 Jason Shepherd 2021-02-22 04:31:08 UTC 
Statement:

This flaw is out of support scope for the following products:

* Red Hat Enterprise Linux 6
* Red Hat Enterprise Linux 7
* Red Hat Ceph Storage 2

To learn more about Red Hat Enterprise Linux support scopes, please see https://access.redhat.com/support/policy/updates/errata/

In Red Hat OpenStack Platform, because python-jinja2 is not directly customer exposed, the Impact has been moved to Low and no updated will be provided at this time for the RHOSP python-jinja2 package.

Red Hat Quay does not make use of the vulnerable function, so the impact is Low.
Comment 16 Tapas Jena 2021-03-09 06:19:49 UTC 
Completed the analysis and found that though AAP 1.2 and Ansible Tower do use Jinja2 Or Python-Jinja2 Template, the vulnerable functionality i.e. urlize filter with the RegEx sub-pattern is not being used anywhere. Hence, Closing the bug as "Not a Bug".
Comment 21 errata-xmlrpc 2021-08-24 08:05:29 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3252 https://access.redhat.com/errata/RHSA-2021:3252
Comment 22 errata-xmlrpc 2021-08-24 08:09:04 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254
Comment 23 Product Security DevOps Team 2021-08-24 15:34:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-28493
Comment 24 errata-xmlrpc 2021-11-09 17:25:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4151 https://access.redhat.com/errata/RHSA-2021:4151
Comment 25 errata-xmlrpc 2021-11-09 17:27:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4161 https://access.redhat.com/errata/RHSA-2021:4161
Comment 26 errata-xmlrpc 2021-11-09 17:28:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162