This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. Upstream Reference: https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py#L20 https://github.com/pallets/jinja/pull/1343
Created mingw-python-jinja2 tracking bugs for this issue: Affects: fedora-33 [bug 1928709] Created python-jinja2 tracking bugs for this issue: Affects: fedora-all [bug 1928708]
Flaw summary: The flaw is in the `urlize()` builtin filter[1] of jinja2. As part of its business logic, the filter uses regex pattern `[a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+`, as well as backtracking, making it susceptible to a ReDoS attack when it processes crafted input from an attacker. See [2] for the specific changes on the upstream patch. urlize() "Converts URLs in plain text into clickable links." 1. https://jinja.palletsprojects.com/en/2.11.x/templates/?highlight=urlize#urlize 2. https://github.com/pallets/jinja/pull/1343/commits/ef658dc3b6389b091d608e710a810ce8b87995b3
Mitigation: If using the jinja2 library as a developer, this flaw can be mitigated by not using the vulnerable urlize() filter, and instead, using Markdown to format user content.
Statement: This flaw is out of support scope for the following products: * Red Hat Enterprise Linux 6 * Red Hat Enterprise Linux 7 * Red Hat Ceph Storage 2 To learn more about Red Hat Enterprise Linux support scopes, please see https://access.redhat.com/support/policy/updates/errata/ In Red Hat OpenStack Platform, because python-jinja2 is not directly customer exposed, the Impact has been moved to Low and no updated will be provided at this time for the RHOSP python-jinja2 package. Red Hat Quay does not make use of the vulnerable function, so the impact is Low.
Completed the analysis and found that though AAP 1.2 and Ansible Tower do use Jinja2 Or Python-Jinja2 Template, the vulnerable functionality i.e. urlize filter with the RegEx sub-pattern is not being used anywhere. Hence, Closing the bug as "Not a Bug".
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3252 https://access.redhat.com/errata/RHSA-2021:3252
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-28493
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4151 https://access.redhat.com/errata/RHSA-2021:4151
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4161 https://access.redhat.com/errata/RHSA-2021:4161
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162