CVE-2018-7536 — Incorrect Regular Expression in Django
Severity
5.3MEDIUMNVD
EPSS
1.4%
top 19.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 9
Latest updateJan 4
Description
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4
Affected Packages3 packages
Also affects: Debian Linux 7.0, 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 17.10
🔴Vulnerability Details
4📋Vendor Advisories
3💬Community
4Bugzilla▶
CVE-2018-7536 django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc'↗2018-02-27