Описание
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
A flaw was found in Django. A remote attacker can exploit this vulnerability by providing crafted inputs containing a large number of unmatched HTML end tags to the django.utils.text.Truncator.chars() and Truncator.words() methods (when html=True), or through the truncatechars_html and truncatewords_html template filters. This can lead to a denial-of-service (DoS) condition, making the application unavailable to legitimate users.
Отчет
This is a MODERATE impact denial-of-service flaw in Django. Applications utilizing Django that process untrusted HTML inputs with a large number of unmatched end tags through the Truncator.chars() or Truncator.words() methods (with html=True), or the truncatechars_html and truncatewords_html template filters, may experience resource exhaustion. This can lead to the application becoming unavailable.
Меры по смягчению последствий
To mitigate this issue, applications utilizing Django should avoid processing untrusted HTML content through the django.utils.text.Truncator.chars() and Truncator.words() methods with html=True, or the truncatechars_html and truncatewords_html template filters. Restrict the use of these functions to only trusted inputs where the HTML structure is controlled and validated.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-minimal-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-minimal-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/lightspeed-rhel8 | Affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/de-minimal-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/de-minimal-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/lightspeed-rhel8 | Will not fix | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-26/de-minimal-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-26/lightspeed-rhel9 | Will not fix | ||
| Red Hat Ansible Automation Platform 2 | automation-controller | Will not fix | ||
| Red Hat Ansible Automation Platform 2 | python-django | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4. ...
Уязвимость программной платформы для веб-приложений Django, связанная с алгоритмической сложностью, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3