Lucene search

K

GoogleOSV:GHSA-H8GC-PGJ2-VJM3

HistoryNov 03, 2023 - 6:36 a.m.

Django Denial-of-service in django.utils.text.Truncator

2023-11-0306:36:30

Google

osv.dev

9

django 3.2

django 4.1.12

django 4.2.6

truncator

denial of service

html

incomplete fix

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.1 High

AI Score

Confidence

Low

0.029 Low

EPSS

Percentile

90.8%

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.

CPENameOperatorVersion
djangoeq3.2.19
djangoeq3.2.11
djangoeq3.2.2
djangoeq3.2
djangoeq3.2.8
djangoeq4.1.4
djangoeq3.2.15
djangoeq4.2.4
djangoeq3.2.13
djangoeq4.1

Rows per page:

1-10 of 401

References

www.openwall.com/lists/oss-security/2024/03/04/1

docs.djangoproject.com/en/4.2/releases/security

github.com/django/django

github.com/django/django/commit/be9c27c4d18c2e6a5be8af4e53c0797440794473

github.com/django/django/commit/c7b7024742250414e426ad49fb80db943e7ba4e8

github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5

github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-226.yaml

groups.google.com/forum/#!forum/django-announce

groups.google.com/forum/#%21forum/django-announce

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D

lists.fedoraproject.org/archives/list/[email protected]/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU

nvd.nist.gov/vuln/detail/CVE-2023-43665

security.netapp.com/advisory/ntap-20231221-0001

www.djangoproject.com/weblog/2023/oct/04/security-releases

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.1 High

AI Score

Confidence

Low

0.029 Low

EPSS

Percentile

90.8%

Related for OSV:GHSA-H8GC-PGJ2-VJM3

nessus27 openvas20 cvelist3 nvd3 osv12 prion2 cve3 github3 ubuntucve3 alpinelinux3 debiancve3 hackerone1 redhatcve2 veracode2 vulnrichment1 freebsd2 redos1 ubuntu3 debian3 fedora8 redhat7 altlinux2 archlinux2 suse2 gentoo1