CVE-2022-40023

NameCVE-2022-40023
DescriptionSqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3116-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mako (PTS)buster1.0.7+ds1-1vulnerable
buster (security)1.0.7+ds1-1+deb10u1fixed
bullseye1.1.3+ds1-2vulnerable
bookworm1.2.4+ds-1fixed
sid, trixie1.3.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
makosourcebuster1.0.7+ds1-1+deb10u1DLA-3116-1
makosource(unstable)1.2.2+ds1-1

Notes

[bullseye] - mako <no-dsa> (Minor issue)
https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c (rel_1_2_2)
https://github.com/sqlalchemy/mako/issues/366

Search for package or bug name: Reporting problems