MidnightBSD

Advisories for pygments

CVE-2015-8557 HIGH

The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
canonical ubuntu_linux 15.04
pygments pygments 1.4
pygments pygments 1.5
pygments pygments 2.0.1
canonical ubuntu_linux 15.10
canonical ubuntu_linux 14.04
pygments pygments 1.3
canonical ubuntu_linux 12.04
pygments pygments 2.0
pygments pygments 1.2.2
pygments pygments 1.3.1
pygments pygments 1.6
CVE-2021-20270 MEDIUM

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,CWE-835,

Products Affected

Vendor Product Version
redhat enterprise_linux 7.0
redhat openshift_container_platform 3.11
redhat openstack_platform 10.0
redhat openshift_container_platform 4.0
redhat enterprise_linux 8.0
debian debian_linux 10.0
debian debian_linux 9.0
redhat software_collections -
fedoraproject fedora 33
pygments pygments *
CVE-2021-27291 MEDIUM

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-1333,

Products Affected

Vendor Product Version
fedoraproject fedora 32
debian debian_linux 10.0
debian debian_linux 9.0
fedoraproject fedora 33
pygments pygments *
CVE-2022-40896

A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.

Products Affected

Vendor Product Version
pygments pygments *