Описание
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
An inefficient regular expression complexity flaw was found in the Truncator.words function and truncatewords_html filter of Django. This issue may allow an attacker to use a suitably crafted string to cause a denial of service.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 1.2 | ansible-tower | Not affected | ||
| Red Hat Certification for Red Hat Enterprise Linux 7 | python-django | Out of support scope | ||
| Red Hat Certification for Red Hat Enterprise Linux 8 | redhat-certification | Affected | ||
| Red Hat Certification for Red Hat Enterprise Linux 9 | redhat-certification | Affected | ||
| Red Hat Discovery | discovery-server-container | Not affected | ||
| Red Hat OpenStack Platform 16.1 | python-django20 | Out of support scope | ||
| Red Hat OpenStack Platform 16.2 | python-django20 | Affected | ||
| Red Hat OpenStack Platform 18.0 | python-django | Affected | ||
| Red Hat Storage 3 | python-django | Affected | ||
| Red Hat Ansible Automation Platform 2.4 for RHEL 8 | python3x-django | Fixed | RHSA-2024:1640 | 02.04.2024 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, ...
7.5 High
CVSS3