Bug 2270236 (CVE-2024-21503)
| Summary: | CVE-2024-21503 psf/black: ReDoS via the lines_with_leading_tabs_expanded() function in strings.py file | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | TEJ RATHI <trathi> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | davidn, epacific, jcammara, jhardy, jneedle, jobarker, mabashia, osapryki, simaishi, smcdonal, teagle, yguenane, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | black 24.3.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
The python-black package is susceptible to a regular expression denial of service (ReDoS) vulnerability, found in the lines_with_leading_tabs_expanded() function within the strings.py file. This vulnerability could be exploited by running Black on untrusted input or by inserting numerous leading tab characters into docstrings. This flaw allows attackers to craft malicious input to trigger a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2270238 | ||
| Bug Blocks: | 2270240 | ||
|
Description
TEJ RATHI
2024-03-19 07:37:20 UTC
Created python-black tracking bugs for this issue: Affects: fedora-all [bug 2270238] |