Vulnerability CVE-2023-43665: Information
Description
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
python3-module-django | sisyphus | 4.2.6-alt1 | 4.2.13-alt1 | ALT-PU-2023-6172-1 | 331106 | Fixed |
python3-module-django | sisyphus_e2k | 4.2.6-alt1 | 4.2.13-alt1 | ALT-PU-2023-6230-1 | - | Fixed |
python3-module-django | sisyphus_riscv64 | 4.2.6-alt1 | 4.2.13-alt1 | ALT-PU-2023-6195-1 | - | Fixed |
python3-module-django | p10 | 3.2.22-alt1 | 3.2.25-alt1 | ALT-PU-2023-6171-2 | 331109 | Fixed |
python3-module-django | p10_e2k | 3.2.22-alt1 | 3.2.25-alt1 | ALT-PU-2023-7038-1 | - | Fixed |
python3-module-django | c10f1 | 3.2.22-alt1 | 3.2.25-alt1 | ALT-PU-2023-6239-2 | 331111 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://www.djangoproject.com/weblog/2023/oct/04/security-releases/ |
|
https://docs.djangoproject.com/en/4.2/releases/security/ |
|
https://groups.google.com/forum/#%21forum/django-announce |
|
FEDORA-2023-a67af7d8f4 |
|
https://security.netapp.com/advisory/ntap-20231221-0001/ | |
FEDORA-2024-84fbbbb914 | |
[oss-security] 20240304 Django: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words() |