Candidate: CVE-2021-21236
PublicDate: 2021-01-06 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21236
 https://github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf
 https://github.com/Kozea/CairoSVG/commit/063185b60588a41d4df661ad70f9f7b699901abc (2.5.1)
 https://github.com/Kozea/CairoSVG/commit/cfc9175e590531d90384aa88845052de53d94bf3
 https://github.com/Kozea/CairoSVG/releases/tag/2.5.1
 https://pypi.org/project/CairoSVG/
Description:
 CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on
 Cairo. In CairoSVG before version 2.5.1, there is a regular expression
 denial of service (REDoS) vulnerability. When processing SVG files, the
 python package CairoSVG uses two regular expressions which are vulnerable
 to Regular Expression Denial of Service (REDoS). If an attacker provides a
 malicious SVG, it can make cairosvg get stuck processing the file for a
 very long time. This is fixed in version 2.5.1. See Referenced GitHub
 advisory for more information.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979597
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H [5.5 MEDIUM]


Patches_cairosvg:
upstream_cairosvg: needs-triage
precise/esm_cairosvg: DNE
trusty_cairosvg: ignored (out of standard support)
trusty/esm_cairosvg: DNE
xenial_cairosvg: ignored (end of standard support, was needs-triage)
bionic_cairosvg: needs-triage
focal_cairosvg: needs-triage
groovy_cairosvg: ignored (reached end-of-life)
hirsute_cairosvg: ignored (reached end-of-life)
impish_cairosvg: needs-triage
jammy_cairosvg: needs-triage
devel_cairosvg: needs-triage