CVE Vulnerability

CVE-2022-40023

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c Patch Third Party Advisory
https://pyup.io/vulnerabilities/CVE-2022-40023/50870/ Third Party Advisory
https://github.com/sqlalchemy/mako/issues/366 Issue Tracking Patch
https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21 Exploit Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/09/msg00026.html Mailing List Third Party Advisory
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
Configurations

Configuration 1

cpe:2.3:a:sqlalchemy:mako:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Information

Published : 2022-09-07 01:15

Updated : 2022-12-27 10:15

NVD link : CVE-2022-40023

Mitre link : CVE-2022-40023

Products Affected
No products.
CWE
NVD-CWE-Other