CVE-2022-40896 — Unrestricted File Upload in Pygments

CWE-434 — Unrestricted File Upload12 documents8 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 79.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pygments Debian Pygments Msrc Azl3 Python-pygments 2.4.2-1 ON Azure Linux 3.0

Timeline

PublishedJul 19

Latest updateApr 1

Description

A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/pygments< pygments 2.15.1+dfsg-1 (forky)

▶PyPIpygments/pygments< 2.15.0

▶Debianpygments/pygments< 2.15.1+dfsg-1+1

▶NVDpygments/pygments2.15.0

▶msrcmsrc/azl3_python-pygments_2.4.2-1_on_azure_linux_3.0

Patches

Patch: pyup.io ↗Patch: pyup.io ↗

🔴Vulnerability Details

OSV

c2cciutils affected by CVE-2022-40896↗2026-04-01

▶

GHSA

c2cciutils affected by CVE-2022-40896↗2026-04-01

▶

OSV

CVE-2022-40896: A ReDoS issue was discovered in pygments/lexers/smithy↗2023-07-19

▶

GHSA

Pygments vulnerable to ReDoS↗2023-07-19

▶

OSV

Pygments vulnerable to ReDoS↗2023-07-19

▶

📋Vendor Advisories

Ubuntu

Pygments vulnerability↗2024-11-26

▶

Oracle

Oracle Oracle Communications Risk Matrix: Install/Upgrade (Pygments) — CVE-2022-40896↗2024-04-15

▶

Oracle

Oracle Oracle Utilities Applications Risk Matrix: NMS Monitor (Pygments) — CVE-2022-40896↗2024-01-15

▶

Red Hat

pygments: ReDoS in pygments↗2023-11-26

▶

Microsoft

A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.↗2023-07-11

▶