Описание
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
An inefficient regular expression complexity was found in Django. The text truncator regular expressions exhibit linear backtracking complexity, which can be slow, leading to a potential denial of service, given certain HTML inputs.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Certification for Red Hat Enterprise Linux 7 | python-django | Affected | ||
| Red Hat OpenStack Platform 16.1 | python-django20 | Out of support scope | ||
| Red Hat OpenStack Platform 16.2 | python-django20 | Out of support scope | ||
| Red Hat OpenStack Platform 17.0 | python-django | Not affected | ||
| Red Hat OpenStack Platform 17.1 | python-django | Not affected | ||
| Red Hat OpenStack Platform 18.0 | python-django | Affected | ||
| Red Hat Storage 3 | python-django | Affected | ||
| Red Hat Ansible Automation Platform 2.4 for RHEL 8 | python3x-django | Fixed | RHSA-2023:5758 | 16.10.2023 |
| Red Hat Ansible Automation Platform 2.4 for RHEL 8 | automation-controller | Fixed | RHSA-2023:6158 | 30.10.2023 |
| Red Hat Ansible Automation Platform 2.4 for RHEL 9 | python-django | Fixed | RHSA-2023:5758 | 16.10.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, ...
EPSS
7.5 High
CVSS3