Описание
Django denial-of-service in django.utils.html.strip_tags()
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2024-53907
- https://docs.djangoproject.com/en/dev/releases/security
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-156.yaml
- https://groups.google.com/g/django-announce
- https://lists.debian.org/debian-lts-announce/2024/12/msg00028.html
- https://www.djangoproject.com/weblog/2024/dec/04/security-releases
- https://www.openwall.com/lists/oss-security/2024/12/04/3
Пакеты
Django
>= 5.1.0, < 5.1.4
5.1.4
Django
>= 4.2.0, < 4.2.17
4.2.17
Django
>= 5.0.0, < 5.0.10
5.0.10
django
>= 5.1, < 5.1.4
5.1.4
django
>= 5.0, < 5.0.10
5.0.10
django
>= 4.2, < 4.2.17
4.2.17
Связанные уязвимости
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, ...
Уязвимость функции strip_tags() модуля django.utils.html программной платформы для веб-приложений Django, позволяющая нарушителю вызвать отказ в обслуживании