CVE-2022-40023 — Regex Denial of Service in Mako

CWE-1333 — Regex Denial of Service9 documents7 sources

Severity

7.5HIGHNVD

EPSS

1.0%

top 22.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sqlalchemy Mako Debian Mako Debian Linux +4 more

Timeline

PublishedSep 7

Latest updateNov 15

Description

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

▶NVDsqlalchemy/mako< 1.2.2

▶PyPIsqlalchemy/mako< 1.2.2

▶Debiansqlalchemy/mako< 1.1.3+ds1-2+deb11u1+3

▶debiandebian/mako< mako 1.2.2+ds1-1 (bookworm)

▶msrcmsrc/cm1_python-mako_1.0.7-5_on_cbl_mariner_1.0

Also affects: Debian Linux 10.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

mako is vulnerable to Regular Expression Denial of Service↗2022-09-16

▶

GHSA

mako is vulnerable to Regular Expression Denial of Service↗2022-09-16

▶

OSV

CVE-2022-40023: Sqlalchemy mako before 1↗2022-09-07

▶

📋Vendor Advisories

Ubuntu

Mako vulnerability↗2022-11-15

▶

Ubuntu

Mako vulnerability↗2022-09-21

▶

Microsoft

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.↗2022-09-13

▶

Red Hat

python-mako: REDoS in Lexer class↗2022-09-07

▶

Debian

CVE-2022-40023: mako - Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Servi...↗2022

▶