{
  "threat_severity" : "Moderate",
  "public_date" : "2023-11-26T00:00:00Z",
  "bugzilla" : {
    "description" : "pygments: ReDoS in pygments",
    "id" : "2251643",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2251643"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-434",
  "details" : [ "A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.", "A denial-of-service vulnerability related to regular expressions was discovered in Pygments, specifically in the file pygments/lexers/smithy.py. An attacker could exploit this flaw by sending a carefully crafted request, leading to a denial-of-service situation." ],
  "statement" : "https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/\nhttps://data.safetycli.com/vulnerabilities/CVE-2022-40896/58910/?utm_source=pyupio&utm_medium=redirect&utm_campaign=pyup_rd&utm_id=0817&utm_content=data",
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 8",
    "release_date" : "2024-02-29T00:00:00Z",
    "advisory" : "RHSA-2024:1057",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
    "package" : "python3x-pygments-0:2.17.2-1.el8ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 8",
    "release_date" : "2024-03-04T00:00:00Z",
    "advisory" : "RHSA-2024:1072",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
    "package" : "ansible-automation-platform-24/ee-supported-rhel8:1.0.0-572"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 9",
    "release_date" : "2024-02-29T00:00:00Z",
    "advisory" : "RHSA-2024:1057",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el9",
    "package" : "python-pygments-0:2.17.2-1.el9ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 9",
    "release_date" : "2024-03-04T00:00:00Z",
    "advisory" : "RHSA-2024:1072",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el9",
    "package" : "ansible-automation-platform-24/ee-supported-rhel9:1.0.0-573"
  }, {
    "product_name" : "Red Hat Satellite 6.15 for RHEL 8",
    "release_date" : "2024-04-23T00:00:00Z",
    "advisory" : "RHSA-2024:2010",
    "cpe" : "cpe:/a:redhat:satellite:6.15::el8",
    "package" : "python-pygments-0:2.17.0-1.el8pc"
  }, {
    "product_name" : "Red Hat Satellite 6.15 for RHEL 8",
    "release_date" : "2024-04-23T00:00:00Z",
    "advisory" : "RHSA-2024:2010",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.15::el8",
    "package" : "python-pygments-0:2.17.0-1.el8pc"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Will not fix",
    "package_name" : "aap-cloud-metrics-collector-container",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-24/de-supported-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-24/ee-dellemc-openmanage-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-24/ee-minimal-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-25/ansible-builder-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-25/ee-cloud-services-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-25/platform-resource-runner-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-lint",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-navigator",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "python3x-ansible-compat",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "python3x-django-lifecycle",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "python-ansible-compat",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "python-django-lifecycle",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Developer Hub",
    "fix_state" : "Not affected",
    "package_name" : "rhdh/rhdh-hub-rhel9",
    "cpe" : "cpe:/a:redhat:rhdh:1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "python-pygments",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "python-pygments",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "resource-agents",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "python27:2.7/python-pygments",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "python3.11-pip",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "python36:3.6/python-pygments",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "resource-agents",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "python3.11-pip",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-40896\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-40896" ],
  "name" : "CVE-2022-40896",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}