CVE-2015-2316 — Allocation of Resources Without Limits or Throttling in Django

CWE-399 CWE-770 — Allocation of Resources Without Limits or Throttling CWE-835 — Infinite Loop12 documents8 sources

Severity

5.0MEDIUMNVD

EPSS

2.0%

top 16.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django Canonical Ubuntu Linux Fedoraproject Fedora +2 more

Timeline

PublishedMar 25

Latest updateMay 14

Description

The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

▶PyPIdjangoproject/django1.6 — 1.6.11+2

▶NVDdjangoproject/django19 versions+18

▶NVDoracle/solaris11.2

▶NVDopensuse/opensuse13.2

Also affects: Fedora 22, Ubuntu Linux 10.04, 12.04, 14.04, 14.10

Patches

Patch: www.djangoproject.com ↗Patch: www.djangoproject.com ↗

🔴Vulnerability Details

OSV

Django Denial-of-service possibility with strip_tags↗2022-05-14

▶

GHSA

Django Denial-of-service possibility with strip_tags↗2022-05-14

▶

CVEList

CVE-2015-2316: The utils↗2015-03-25

▶

OSV

CVE-2015-2316: The utils↗2015-03-25

▶

OSV

python-django vulnerabilities↗2015-03-23

▶

📋Vendor Advisories

Ubuntu

Django vulnerabilities↗2015-03-23

▶

Red Hat

Django: possible denial of service in strip_tags()↗2015-03-18

▶

Debian

CVE-2015-2316: python-django - The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1...↗2015

▶

💬Community

Bugzilla

CVE-2015-2316 python-django: Django: possible denial of service in strip_tags() [epel-7]↗2015-03-19

▶

Bugzilla

CVE-2015-2316 python-django: Django: possible denial of service in strip_tags() [fedora-all]↗2015-03-19

▶

Bugzilla

CVE-2015-2316 Django: possible denial of service in strip_tags()↗2015-03-17

▶