What is CVE-2020-28493?

CVE-2020-28493 is a medium-severity vulnerability in Jinja2. CVSS score: 5.3/10. Published 2021-02-01.

How severe is CVE-2020-28493?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Is CVE-2020-28493 known to be exploited?

7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Jinja2

CVE-2020-28493

This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for tra…

EPSS: 0.002 (43.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P.

Affected products

N/a Jinja2 — versions 0.0.0, unspecified

Public proof-of-concept exploits

References

snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994 (x_refsource_MISC)
github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinj… (x_refsource_MISC)
github.com/pallets/jinja/pull/1343 (x_refsource_MISC)
FEDORA-2021-2ab8ebcabc (vendor-advisory, x_refsource_FEDORA)
GLSA-202107-19 (vendor-advisory, x_refsource_GENTOO)

Frequently asked questions

What is CVE-2020-28493?: CVE-2020-28493 is a medium-severity vulnerability in Jinja2. CVSS score: 5.3/10. Published 2021-02-01.
How severe is CVE-2020-28493?: Medium severity. CVSS v3 base score is 5.3 out of 10.
Is CVE-2020-28493 known to be exploited?: 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.