7.5
CVE-2022-40023
- EPSS 1.72%
- Veröffentlicht 07.09.2022 13:15:09
- Zuletzt bearbeitet 03.12.2025 07:16:01
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Sqlalchemy ≫ Mako Version < 1.2.2
Debian ≫ Debian Linux Version10.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.72% | 0.747 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-1333 Inefficient Regular Expression Complexity
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21
https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c
https://github.com/sqlalchemy/mako/issues/366
https://lists.debian.org/debian-lts-announce/2022/09/msg00026.html
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
https://pyup.io/vulnerabilities/CVE-2022-40023/50870/
https://lists.debian.org/debian-lts-announce/2025/12/msg00004.html