The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 15.04 |
| pygments | pygments | 1.4 |
| pygments | pygments | 1.5 |
| pygments | pygments | 2.0.1 |
| canonical | ubuntu_linux | 15.10 |
| canonical | ubuntu_linux | 14.04 |
| pygments | pygments | 1.3 |
| canonical | ubuntu_linux | 12.04 |
| pygments | pygments | 2.0 |
| pygments | pygments | 1.2.2 |
| pygments | pygments | 1.3.1 |
| pygments | pygments | 1.6 |
An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-835,CWE-835,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux | 7.0 |
| redhat | openshift_container_platform | 3.11 |
| redhat | openstack_platform | 10.0 |
| redhat | openshift_container_platform | 4.0 |
| redhat | enterprise_linux | 8.0 |
| debian | debian_linux | 10.0 |
| debian | debian_linux | 9.0 |
| redhat | software_collections | - |
| fedoraproject | fedora | 33 |
| pygments | pygments | * |
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-1333,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 32 |
| debian | debian_linux | 10.0 |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 33 |
| pygments | pygments | * |
A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| pygments | pygments | * |