CVE-2015-2316
published 2015-03-25CVE-2015-2316: The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows…
PriorityP427medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
5.00%
91.1th percentile
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | python-django | < python-django 1.7.7-1 (bookworm) | python-django 1.7.7-1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 1.6 < 1.6.11 | 1.6.11 |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2015-03-23·CVSS 5.0
CVE-2015-2316 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
Andrey Babak discovered that Django incorrectly handled strip_tags. A
remote attacker could possibly use this issue to cause Django to enter an
infinite loop, resulting in a denial of service. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-2316)
Daniel Chatfield discovered that Django incorrectly handled user-supplied
redirect URLs. A remote attacker could possibly use this issue to perform a
cross-site scripting attack. (CVE-2015-2317)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
Django: possible denial of service in strip_tags()
vendor_redhat·2015-03-18·CVSS 5.0
CVE-2015-2316 [MEDIUM] CWE-835 Django: possible denial of service in strip_tags()
Django: possible denial of service in strip_tags()
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Fix deferred
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 6 (Juno)) - Fix deferred
Package: Django14 (Red Hat OpenStack Platform 4) - Not affected
Package: Django (Red Hat Subscription Asset Manager) - Not affected
Debian
CVE-2015-2316: python-django - The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1...
vendor_debian·2015·CVSS 5.0
CVE-2015-2316 [MEDIUM] CVE-2015-2316: python-django - The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1...
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.
Scope: local
bookworm: resolved (fixed in 1.7.7-1)
bullseye: resolved (fixed in 1.7.7-1)
forky: resolved (fixed in 1.7.7-1)
sid: resolved (fixed in 1.7.7-1)
trixie: resolved (fixed in 1.7.7-1)
OSV
Django Denial-of-service possibility with strip_tags
osv·2022-05-14
CVE-2015-2316 [HIGH] Django Denial-of-service possibility with strip_tags
Django Denial-of-service possibility with strip_tags
The `utils.html.strip_tags` function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.
GHSA
Django Denial-of-service possibility with strip_tags
ghsa·2022-05-14
CVE-2015-2316 [HIGH] CWE-770 Django Denial-of-service possibility with strip_tags
Django Denial-of-service possibility with strip_tags
The `utils.html.strip_tags` function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.
OSV
CVE-2015-2316: The utils
osv·2015-03-25·CVSS 5.0
CVE-2015-2316 [MEDIUM] CVE-2015-2316: The utils
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.
OSV
python-django vulnerabilities
osv·2015-03-23·CVSS 5.0
CVE-2015-2316 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
Andrey Babak discovered that Django incorrectly handled strip_tags. A
remote attacker could possibly use this issue to cause Django to enter an
infinite loop, resulting in a denial of service. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-2316)
Daniel Chatfield discovered that Django incorrectly handled user-supplied
redirect URLs. A remote attacker could possibly use this issue to perform a
cross-site scripting attack. (CVE-2015-2317)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-2316 python-django: Django: possible denial of service in strip_tags() [epel-7]
bugzilla·2015-03-19·CVSS 5.0
CVE-2015-2316 [MEDIUM] CVE-2015-2316 python-django: Django: possible denial of service in strip_tags() [epel-7]
CVE-2015-2316 python-django: Django: possible denial of service in strip_tags() [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 tracking bug for python-django: s
Bugzilla
CVE-2015-2316 python-django: Django: possible denial of service in strip_tags() [fedora-all]
bugzilla·2015-03-19·CVSS 5.0
CVE-2015-2316 [MEDIUM] CVE-2015-2316 python-django: Django: possible denial of service in strip_tags() [fedora-all]
CVE-2015-2316 python-django: Django: possible denial of service in strip_tags() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple support
Bugzilla
Django 1.4.20/1.6.11/1.7.7 security update (MDN)
bugzilla·2015-03-19
[MEDIUM] Django 1.4.20/1.6.11/1.7.7 security update (MDN)
Django 1.4.20/1.6.11/1.7.7 security update (MDN)
On Wednesday, March 18th, 2015, the Django project issued a set of releases to remedy security issues reported. This bug contains descriptions of the issues.
Please read the entirety of this bug. Then either:
1. apply the update and mark this bug as FIXED, or
2. verify this doesn't apply to your project and close this bug with a WONTFIX plus an explanation of why these don't apply to your project
From the blog entry at https://www.djangoproject.com/weblog/2015/mar/18/security-releases/
"""
In accordance with our security release policy, the Django team is issuing multiple releases -- Django 1.4.20, 1.6.11, 1.7.7 and 1.8c1. These releases are now available on PyPI and our download page. These releases address several security issues de
Bugzilla
CVE-2015-2316 Django: possible denial of service in strip_tags()
bugzilla·2015-03-17·CVSS 5.0
CVE-2015-2316 [MEDIUM] CVE-2015-2316 Django: possible denial of service in strip_tags()
CVE-2015-2316 Django: possible denial of service in strip_tags()
The following flaw was found in Django:
In a previous release, django.utils.html.strip_tags was changed to work iteratively. The problem is that the size of the input it is processing can increase on each iteration which results in an infinite loop in strip_tags(). This issue only affects versions of Python that haven't received a bugfix in HTMLParser (http://bugs.python.org/issue20288); namely Python < 2.7.7 and 3.3.5. Some operating system vendors have also backported the fix for the Python bug into their packages of earlier versions.
To remedy this issue, strip_tags() will now return the original input if it detects the length of the string it is processing increases. Remember that absolutely NO guarantee is provided ab
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.htmlhttp://lists.opensuse.org/opensuse-updates/2015-04/msg00001.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.securityfocus.com/bid/73322http://www.ubuntu.com/usn/USN-2539-1https://www.djangoproject.com/weblog/2015/mar/18/security-releases/http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.htmlhttp://lists.opensuse.org/opensuse-updates/2015-04/msg00001.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.securityfocus.com/bid/73322http://www.ubuntu.com/usn/USN-2539-1https://www.djangoproject.com/weblog/2015/mar/18/security-releases/
2015-03-25
Published