Vulnerability-Lookup

CVE-2021-43854 (GCVE-0-2021-43854)

Vulnerability from cvelistv5 – Published: 2021-12-23 17:55 – Updated: 2024-08-04 04:10

Title

Inefficient Regular Expression Complexity in nltk

Summary

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	nltk	nltk	Affected: < 3.6.5

CNVD-2022-00605

Vulnerability from cnvd - Published: 2022-01-05

Title

Natural Language Toolkit资源管理错误漏洞

Description

Natural Language Toolkit（NLTK）是一款使用Python语言编写的自然语言处理工具包。 Natural Language Toolkit（NLTK） 3.6.5之前版本存在资源管理错误漏洞，攻击者可利用该漏洞进行拒绝服务攻击。

Severity

中

Patch Name

Natural Language Toolkit资源管理错误漏洞的补丁

Patch Description

Natural Language Toolkit（NLTK）是一款使用Python语言编写的自然语言处理工具包。 Natural Language Toolkit（NLTK） 3.6.5之前版本存在资源管理错误漏洞，攻击者可利用该漏洞进行拒绝服务攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x

Reference

https://github.com/nltk/nltk/pull/2869

Impacted products

Name
Natural Language Toolkit Natural Language Toolkit <3.6.5

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-43854"
    }
  },
  "description": "Natural Language Toolkit\uff08NLTK\uff09\u662f\u4e00\u6b3e\u4f7f\u7528Python\u8bed\u8a00\u7f16\u5199\u7684\u81ea\u7136\u8bed\u8a00\u5904\u7406\u5de5\u5177\u5305\u3002\n\nNatural Language Toolkit\uff08NLTK\uff09 3.6.5\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8fdb\u884c\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-00605",
  "openTime": "2022-01-05",
  "patchDescription": "Natural Language Toolkit\uff08NLTK\uff09\u662f\u4e00\u6b3e\u4f7f\u7528Python\u8bed\u8a00\u7f16\u5199\u7684\u81ea\u7136\u8bed\u8a00\u5904\u7406\u5de5\u5177\u5305\u3002\r\n\r\nNatural Language Toolkit\uff08NLTK\uff09 3.6.5\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8fdb\u884c\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Natural Language Toolkit\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Natural Language Toolkit Natural Language Toolkit \u003c3.6.5"
  },
  "referenceLink": "https://github.com/nltk/nltk/pull/2869",
  "serverity": "\u4e2d",
  "submitTime": "2021-12-27",
  "title": "Natural Language Toolkit\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e"
}

PYSEC-2021-859

Vulnerability from pysec - Published: 2021-12-23 18:15 - Updated: 2022-01-04 17:38

Details

Impacted products

Name	purl
nltk	pkg:pypi/nltk

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nltk",
        "purl": "pkg:pypi/nltk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1405aad979c6b8080dbbc8e0858f89b2e3690341"
            }
          ],
          "repo": "https://github.com/nltk/nltk",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.8",
        "0.9",
        "0.9.3",
        "0.9.4",
        "0.9.5",
        "0.9.6",
        "0.9.7",
        "0.9.8",
        "0.9.9",
        "2.0.1",
        "2.0.1rc1",
        "2.0.1rc2-git",
        "2.0.1rc3",
        "2.0.1rc4",
        "2.0.2",
        "2.0.3",
        "2.0.4",
        "2.0.5",
        "2.0b4",
        "2.0b5",
        "2.0b6",
        "2.0b7",
        "2.0b8",
        "2.0b9",
        "3.0.0",
        "3.0.0b1",
        "3.0.0b2",
        "3.0.1",
        "3.0.2",
        "3.0.3",
        "3.0.4",
        "3.0.5",
        "3.1",
        "3.2",
        "3.2.1",
        "3.2.2",
        "3.2.3",
        "3.2.4",
        "3.2.5",
        "3.3",
        "3.4",
        "3.4.1",
        "3.4.2",
        "3.4.3",
        "3.4.4",
        "3.4.5",
        "3.5",
        "3.5b1",
        "3.6",
        "3.6.1",
        "3.6.2",
        "3.6.3",
        "3.6.4"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-43854",
    "GHSA-f8m6-h2c7-8h9x"
  ],
  "details": "NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.",
  "id": "PYSEC-2021-859",
  "modified": "2022-01-04T17:38:55.854845Z",
  "published": "2021-12-23T18:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nltk/nltk/pull/2869"
    },
    {
      "type": "FIX",
      "url": "https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/nltk/nltk/issues/2866"
    }
  ]
}

GSD-2021-43854

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-43854

Aliases

CVE-2021-43854

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-43854",
    "description": "NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.",
    "id": "GSD-2021-43854",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-43854.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-43854"
      ],
      "details": "NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.",
      "id": "GSD-2021-43854",
      "modified": "2023-12-13T01:23:26.418147Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-43854",
        "STATE": "PUBLIC",
        "TITLE": "Inefficient Regular Expression Complexity in nltk"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "nltk",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 3.6.5"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "nltk"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-400: Uncontrolled Resource Consumption"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x",
            "refsource": "CONFIRM",
            "url": "https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x"
          },
          {
            "name": "https://github.com/nltk/nltk/issues/2866",
            "refsource": "MISC",
            "url": "https://github.com/nltk/nltk/issues/2866"
          },
          {
            "name": "https://github.com/nltk/nltk/pull/2869",
            "refsource": "MISC",
            "url": "https://github.com/nltk/nltk/pull/2869"
          },
          {
            "name": "https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341",
            "refsource": "MISC",
            "url": "https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-f8m6-h2c7-8h9x",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c3.6.5",
          "affected_versions": "All versions before 3.6.5",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2022-01-04",
          "description": "NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. is vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, is vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.",
          "fixed_versions": [
            "3.6.5"
          ],
          "identifier": "CVE-2021-43854",
          "identifiers": [
            "CVE-2021-43854",
            "GHSA-f8m6-h2c7-8h9x"
          ],
          "not_impacted": "All versions starting from 3.6.5",
          "package_slug": "pypi/nltk",
          "pubdate": "2021-12-23",
          "solution": "Upgrade to version 3.6.5 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-43854",
            "https://github.com/nltk/nltk/pull/2869",
            "https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341",
            "https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x",
            "https://github.com/nltk/nltk/issues/2866"
          ],
          "uuid": "4322dc0a-9e54-4113-afc6-4c0239dd1d57"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:nltk:nltk:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.6.5",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-43854"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-400"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/nltk/nltk/pull/2869",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/nltk/nltk/pull/2869"
            },
            {
              "name": "https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341"
            },
            {
              "name": "https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x"
            },
            {
              "name": "https://github.com/nltk/nltk/issues/2866",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Issue Tracking",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/nltk/nltk/issues/2866"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-01-04T16:38Z",
      "publishedDate": "2021-12-23T18:15Z"
    }
  }
}

GHSA-F8M6-H2C7-8H9X

Vulnerability from github – Published: 2022-01-06 17:38 – Updated: 2024-09-26 14:17

Summary

Inefficient Regular Expression Complexity in nltk (word_tokenize, sent_tokenize)

Details

Impact

The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to a Regular Expression Denial of Service (ReDoS) attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. The effect of this vulnerability is noticeable with the following example:

from nltk.tokenize import word_tokenize

n = 8
for length in [10**i for i in range(2, n)]:
    # Prepare a malicious input
    text = "a" * length
    start_t = time.time()
    # Call `word_tokenize` and naively measure the execution time
    word_tokenize(text)
    print(f"A length of {length:<{n}} takes {time.time() - start_t:.4f}s")

Which gave the following output during testing:

A length of 100      takes 0.0060s
A length of 1000     takes 0.0060s
A length of 10000    takes 0.6320s
A length of 100000   takes 56.3322s
...

I canceled the execution of the program after running it for several hours.

If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability, or applying the workaround described below.

Patches

The problem has been patched in NLTK 3.6.6. After the fix, running the above program gives the following result:

A length of 100      takes 0.0070s
A length of 1000     takes 0.0010s
A length of 10000    takes 0.0060s
A length of 100000   takes 0.0400s
A length of 1000000  takes 0.3520s
A length of 10000000 takes 3.4641s

This output shows a linear relationship in execution time versus input length, which is desirable for regular expressions. We recommend updating to NLTK 3.6.6+ if possible.

Workarounds

The execution time of the vulnerable functions is exponential to the length of a malicious input. With other words, the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.

References

The issue showcasing the vulnerability: https://github.com/nltk/nltk/issues/2866
The pull request containing considerably more information on the vulnerability, and the fix: https://github.com/nltk/nltk/pull/2869
The commit containing the fix: 1405aad979c6b8080dbbc8e0858f89b2e3690341
Information on CWE-1333: Inefficient Regular Expression Complexity: https://cwe.mitre.org/data/definitions/1333.html

For more information

If you have any questions or comments about this advisory: * Open an issue in github.com/nltk/nltk * Email us at nltk.team@gmail.com

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nltk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-43854"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-05T17:40:20Z",
    "nvd_published_at": "2021-12-23T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe vulnerability is present in [`PunktSentenceTokenizer`](https://www.nltk.org/api/nltk.tokenize.punkt.html#nltk.tokenize.punkt.PunktSentenceTokenizer), [`sent_tokenize`](https://www.nltk.org/api/nltk.tokenize.html#nltk.tokenize.sent_tokenize)  and [`word_tokenize`](https://www.nltk.org/api/nltk.tokenize.html#nltk.tokenize.word_tokenize). Any users of this class, or these two functions, are vulnerable to a Regular Expression Denial of Service (ReDoS) attack. \nIn short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. The effect of this vulnerability is noticeable with the following example:\n```python\nfrom nltk.tokenize import word_tokenize\n\nn = 8\nfor length in [10**i for i in range(2, n)]:\n    # Prepare a malicious input\n    text = \"a\" * length\n    start_t = time.time()\n    # Call `word_tokenize` and naively measure the execution time\n    word_tokenize(text)\n    print(f\"A length of {length:\u003c{n}} takes {time.time() - start_t:.4f}s\")\n```\nWhich gave the following output during testing:\n```python\nA length of 100      takes 0.0060s\nA length of 1000     takes 0.0060s\nA length of 10000    takes 0.6320s\nA length of 100000   takes 56.3322s\n...\n```\nI canceled the execution of the program after running it for several hours.\n\nIf your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability, or applying the workaround described below.\n\n### Patches\nThe problem has been patched in NLTK 3.6.6. After the fix, running the above program gives the following result:\n```python\nA length of 100      takes 0.0070s\nA length of 1000     takes 0.0010s\nA length of 10000    takes 0.0060s\nA length of 100000   takes 0.0400s\nA length of 1000000  takes 0.3520s\nA length of 10000000 takes 3.4641s\n```\nThis output shows a linear relationship in execution time versus input length, which is desirable for regular expressions.\nWe recommend updating to NLTK 3.6.6+ if possible.\n\n### Workarounds\nThe execution time of the vulnerable functions is exponential to the length of a malicious input. With other words, the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.\n\n### References\n* The issue showcasing the vulnerability: https://github.com/nltk/nltk/issues/2866\n* The pull request containing considerably more information on the vulnerability, and the fix: https://github.com/nltk/nltk/pull/2869\n* The commit containing the fix: 1405aad979c6b8080dbbc8e0858f89b2e3690341\n* Information on CWE-1333: Inefficient Regular Expression Complexity: https://cwe.mitre.org/data/definitions/1333.html\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [github.com/nltk/nltk](https://github.com/nltk/nltk)\n* Email us at [nltk.team@gmail.com](mailto:nltk.team@gmail.com)\n",
  "id": "GHSA-f8m6-h2c7-8h9x",
  "modified": "2024-09-26T14:17:15Z",
  "published": "2022-01-06T17:38:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43854"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nltk/nltk/issues/2866"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nltk/nltk/pull/2869"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nltk/nltk"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-859.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Inefficient Regular Expression Complexity in nltk (word_tokenize, sent_tokenize)"
}

FKIE_CVE-2021-43854

Vulnerability from fkie_nvd - Published: 2021-12-23 18:15 - Updated: 2024-11-21 06:29

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/nltk/nltk/issues/2866	Exploit, Issue Tracking, Patch, Third Party Advisory
security-advisories@github.com	https://github.com/nltk/nltk/pull/2869	Exploit, Patch, Third Party Advisory
security-advisories@github.com	https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x	Exploit, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/nltk/nltk/issues/2866	Exploit, Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/nltk/nltk/pull/2869	Exploit, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x	Exploit, Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	nltk	nltk	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nltk:nltk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "355BC362-D4FF-4893-9F37-B97D23E48267",
              "versionEndExcluding": "3.6.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit."
    },
    {
      "lang": "es",
      "value": "NLTK (Natural Language Toolkit) es un conjunto de m\u00f3dulos de c\u00f3digo abierto de Python, conjuntos de datos y tutoriales que apoyan la investigaci\u00f3n y el desarrollo en el procesamiento del lenguaje natural. Las Versiones anteriores a 3.6.5, son vulnerables a ataques de denegaci\u00f3n de servicio con expresiones regulares (ReDoS). La vulnerabilidad est\u00e1 presente en PunktSentenceTokenizer, sent_tokenize y word_tokenize. Cualquier usuario de esta clase, o de estas dos funciones, es vulnerable al ataque ReDoS. En resumen, una entrada larga espec\u00edficamente dise\u00f1ada para cualquiera de estas funciones vulnerables causar\u00e1 que tomen una cantidad significativa de tiempo de ejecuci\u00f3n. Si su programa depende de cualquiera de las funciones vulnerables para tokenizar entradas de usuario imprevisibles, le recomendamos encarecidamente que actualice a una versi\u00f3n de NLTK sin la vulnerabilidad. Para usuarios que no puedan actualizarse, el tiempo de ejecuci\u00f3n puede limitarse mediante la limitaci\u00f3n de la longitud m\u00e1xima de una entrada a cualquiera de las funciones vulnerables. Nuestra recomendaci\u00f3n es implementar dicho l\u00edmite"
    }
  ],
  "id": "CVE-2021-43854",
  "lastModified": "2024-11-21T06:29:56.200",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2021-12-23T18:15:07.327",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/nltk/nltk/issues/2866"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/nltk/nltk/pull/2869"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/nltk/nltk/issues/2866"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/nltk/nltk/pull/2869"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-43854 (GCVE-0-2021-43854)

CNVD-2022-00605

PYSEC-2021-859

GSD-2021-43854

GHSA-F8M6-H2C7-8H9X

Impact

Patches

Workarounds

References

For more information

FKIE_CVE-2021-43854

Tags

Sightings

Nomenclature