In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | python-django | <= 3:3.2.19-1+deb12u1 | python-django_3:3.2.19-1+deb12u1_all.deb |
Debian | 11 | all | python-django | <= 2:2.2.28-1~deb11u2 | python-django_2:2.2.28-1~deb11u2_all.deb |
Debian | 10 | all | python-django | <= 1:1.11.29-1~deb10u1 | python-django_1:1.11.29-1~deb10u1_all.deb |
Debian | 999 | all | python-django | < 3:4.2.11-1 | python-django_3:4.2.11-1_all.deb |
Debian | 13 | all | python-django | < 3:4.2.11-1 | python-django_3:4.2.11-1_all.deb |