Lucene search

K
cve[email protected]CVE-2023-43665
HistoryNov 03, 2023 - 5:15 a.m.

CVE-2023-43665

2023-11-0305:15:30
CWE-1284
web.nvd.nist.gov
107
cve
2023
43665
django
dos
vulnerability
security
nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.8 Medium

AI Score

Confidence

High

0.029 Low

EPSS

Percentile

90.8%

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.

Affected configurations

NVD
Node
djangoprojectdjangoRange3.23.2.22
OR
djangoprojectdjangoRange4.14.1.12
OR
djangoprojectdjangoRange4.24.2.6
Node
fedoraprojectfedoraMatch39

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.8 Medium

AI Score

Confidence

High

0.029 Low

EPSS

Percentile

90.8%