{
  "threat_severity" : "Moderate",
  "public_date" : "2022-07-26T00:00:00Z",
  "bugzilla" : {
    "description" : "mistune: catastrophic backtracking",
    "id" : "2112230",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2112230"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1333",
  "details" : [ "In mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.", "A regular expression denial of service (ReDoS) flaw was found in the asteris emphasis regular expression implementation in Mistune. By sending specially-crafted regex input, a remote attacker could invoke a catastrophic backtrack, resulting in a denial of service." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Ceph Storage 7.1",
    "release_date" : "2026-02-17T00:00:00Z",
    "advisory" : "RHSA-2026:2769",
    "cpe" : "cpe:/a:redhat:ceph_storage:7.1::el8",
    "package" : "ceph-2:18.2.1-381.el8cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 8.1",
    "release_date" : "2026-02-16T00:00:00Z",
    "advisory" : "RHSA-2026:2711",
    "cpe" : "cpe:/a:redhat:ceph_storage:8.1::el9",
    "package" : "ceph-2:19.2.1-331.el9cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 8",
    "release_date" : "2026-02-16T00:00:00Z",
    "advisory" : "RHSA-2026:2737",
    "cpe" : "cpe:/a:redhat:ceph_storage:8::el9",
    "package" : "rhceph/rhceph-8-rhel9:sha256:2325f237ab329cb3f1d3db4da40ed19f68d6daa2a5902c71be3f0d3cfcadd503"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ceph Storage 6",
    "fix_state" : "Will not fix",
    "package_name" : "python-mistune",
    "cpe" : "cpe:/a:redhat:ceph_storage:6"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "python-mistune",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-34749\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-34749\nhttps://github.com/lepture/mistune/commit/a6d43215132fe4f3d93f8d7e90ba83b16a0838b2" ],
  "name" : "CVE-2022-34749",
  "csaw" : false
}