CVE-2022-34749: High severity Mistune Project Mistune vulnerability
Published Jul 25, 2022
·Updated
In mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.
Affected Software
6 affected componentsFixes available
pip/mistune>=2.0.0a1<2.0.3
2.0.3
Mistune Project Mistune<=2.0.2
Fedoraproject Fedora=37
IBM Watson Studio on Cloud Pak for Data<=4.0
IBM Watson Studio on Cloud Pak for Data<=5.0
redhat/mistune<2.0.3
2.0.3
Remediation
Event History
Jul 25, 2022
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Jul 26, 2022
Advisory Published
via GitHub·12:00 AM
Jul 29, 2022
Data Sourced
via Red Hat·06:35 AM
DescriptionSeverityAffected Software
Aug 28, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2022-34749?
CVE-2022-34749 is considered a medium severity vulnerability due to the potential for catastrophic backtracking in regular expressions.
2
How do I fix CVE-2022-34749?
To fix CVE-2022-34749, upgrade Mistune to version 2.0.3 or later.
3
Which versions of Mistune are affected by CVE-2022-34749?
CVE-2022-34749 affects Mistune versions up to 2.0.2.
4
Is CVE-2022-34749 specific to certain operating systems or distributions?
CVE-2022-34749 may impact systems using affected versions of Mistune, including those running Fedora 37.
5
Does CVE-2022-34749 affect IBM Cognos Analytics?
Yes, CVE-2022-34749 affects IBM Cognos Analytics versions up to 12.0.3 and 11.2.4 FP4.