GHSA-vm8q-m57g-pff3

Suggest an improvement
Source
https://github.com/advisories/GHSA-vm8q-m57g-pff3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-vm8q-m57g-pff3/GHSA-vm8q-m57g-pff3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vm8q-m57g-pff3
Aliases
Related
Published
2024-03-15T21:30:43Z
Modified
2024-07-03T21:40:46.910597Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Regular expression denial-of-service in Django
Details

In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.

References

Affected packages

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.2
Fixed
3.2.25

Affected versions

3.*

3.2
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.2.10
3.2.11
3.2.12
3.2.13
3.2.14
3.2.15
3.2.16
3.2.17
3.2.18
3.2.19
3.2.20
3.2.21
3.2.22
3.2.23
3.2.24

Ecosystem specific

{
    "affected_functions": [
        "django.utils.text.Truncator.words"
    ]
}

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2
Fixed
4.2.11

Affected versions

4.*

4.2
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.2.9
4.2.10

Ecosystem specific

{
    "affected_functions": [
        "django.utils.text.Truncator.words"
    ]
}

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0
Fixed
5.0.3

Affected versions

5.*

5.0
5.0.1
5.0.2

Ecosystem specific

{
    "affected_functions": [
        "django.utils.text.Truncator.words"
    ]
}