CVE-2019-14233
published 2019-08-02CVE-2019-14233: An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser…
PriorityP339high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
3.17%
86.4th percentile
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 2:2.2.4-1 (bookworm) | python-django 2:2.2.4-1 (bookworm) |
| djangoproject | django | >= 1.11 < 1.11.23 | 1.11.23 |
| djangoproject | django | >= 1.11a1 < 1.11.23 | 1.11.23 |
| djangoproject | django | >= 2.1 < 2.1.11 | 2.1.11 |
| djangoproject | django | >= 2.1a1 < 2.1.11 | 2.1.11 |
| djangoproject | django | >= 2.2 < 2.2.4 | 2.2.4 |
| djangoproject | django | >= 2.2a1 < 2.2.4 | 2.2.4 |
| opensuse | leap | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Django Denial-of-service in strip_tags()
ghsa·2019-08-06
CVE-2019-14233 [HIGH] CWE-400 Django Denial-of-service in strip_tags()
Django Denial-of-service in strip_tags()
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.
OSV
Django Denial-of-service in strip_tags()
osv·2019-08-06
CVE-2019-14233 [HIGH] Django Denial-of-service in strip_tags()
Django Denial-of-service in strip_tags()
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.
OSV
CVE-2019-14233: An issue was discovered in Django 1
osv·2019-08-02·CVSS 7.5
CVE-2019-14233 [HIGH] CVE-2019-14233: An issue was discovered in Django 1
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.
OSV
python-django vulnerabilities
osv·2019-08-01·CVSS 7.5
CVE-2019-14232 [HIGH] python-django vulnerabilities
python-django vulnerabilities
It was discovered that Django incorrectly handled the Truncator function. A
remote attacker could possibly use this issue to cause Django to consume
resources, leading to a denial of service. (CVE-2019-14232)
It was discovered that Django incorrectly handled the strip_tags function.
A remote attacker could possibly use this issue to cause Django to consume
resources, leading to a denial of service. (CVE-2019-14233)
It was discovered that Django incorrectly handled certain lookups in the
PostgreSQL support. A remote attacker could possibly use this issue to
perform SQL injection attacks. (CVE-2019-14234)
It was discovered that Django incorrectly handled certain invalid UTF-8
octet sequences. A remote attacker could possibly use this issue to cause
Django to
Red Hat
Django: the behavior of the underlying HTMLParser leading to DoS
vendor_redhat·2019-08-01·CVSS 7.5
CVE-2019-14233 [HIGH] CWE-20 Django: the behavior of the underlying HTMLParser leading to DoS
Django: the behavior of the underlying HTMLParser leading to DoS
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.
Statement: This issue affects the versions of python-django as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and 3, as it contains the vulnerable code.
This issue affects Red Hat Update Infrastructure for Cloud Providers, but the vulnerable functions in python-django are currently not used in any part of the Product.
This issue does not affect Red Hat Satellite as the vulnerable functions in python-django are not use
Ubuntu
Django vulnerabilities
vendor_ubuntu·2019-08-01·CVSS 7.5
CVE-2019-14232 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django incorrectly handled the Truncator function. A
remote attacker could possibly use this issue to cause Django to consume
resources, leading to a denial of service. (CVE-2019-14232)
It was discovered that Django incorrectly handled the strip_tags function.
A remote attacker could possibly use this issue to cause Django to consume
resources, leading to a denial of service. (CVE-2019-14233)
It was discovered that Django incorrectly handled certain lookups in the
PostgreSQL support. A remote attacker could possibly use this issue to
perform SQL injection attacks. (CVE-2019-14234)
It was discovered that Django incorrectly handled certain invalid UTF-8
octet sequences. A remote a
Debian
CVE-2019-14233: python-django - An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, an...
vendor_debian·2019·CVSS 7.5
CVE-2019-14233 [HIGH] CVE-2019-14233: python-django - An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, an...
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.
Scope: local
bookworm: resolved (fixed in 2:2.2.4-1)
bullseye: resolved (fixed in 2:2.2.4-1)
forky: resolved (fixed in 2:2.2.4-1)
sid: resolved (fixed in 2:2.2.4-1)
trixie: resolved (fixed in 2:2.2.4-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-14233 python-django: Django: the behavior of the underlying HTMLParser leading to DoS [openstack-rdo]
bugzilla·2019-08-29·CVSS 7.5
CVE-2019-14233 [HIGH] CVE-2019-14233 python-django: Django: the behavior of the underlying HTMLParser leading to DoS [openstack-rdo]
CVE-2019-14233 python-django: Django: the behavior of the underlying HTMLParser leading to DoS [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Thi
Bugzilla
CVE-2019-14233 python-django: Django: the behavior of the underlying HTMLParser leading to DoS [fedora-30]
bugzilla·2019-08-01·CVSS 7.5
CVE-2019-14233 [HIGH] CVE-2019-14233 python-django: Django: the behavior of the underlying HTMLParser leading to DoS [fedora-30]
CVE-2019-14233 python-django: Django: the behavior of the underlying HTMLParser leading to DoS [fedora-30]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-30.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the fol
Bugzilla
CVE-2019-14233 python-django: Django: the behavior of the underlying HTMLParser leading to DoS [epel-7]
bugzilla·2019-08-01·CVSS 7.5
CVE-2019-14233 [HIGH] CVE-2019-14233 python-django: Django: the behavior of the underlying HTMLParser leading to DoS [epel-7]
CVE-2019-14233 python-django: Django: the behavior of the underlying HTMLParser leading to DoS [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following
Bugzilla
CVE-2019-14233 python-django: Django: the behavior of the underlying HTMLParser leading to DoS [fedora-29]
bugzilla·2019-08-01·CVSS 7.5
CVE-2019-14233 [HIGH] CVE-2019-14233 python-django: Django: the behavior of the underlying HTMLParser leading to DoS [fedora-29]
CVE-2019-14233 python-django: Django: the behavior of the underlying HTMLParser leading to DoS [fedora-29]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-29.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the fol
Bugzilla
CVE-2019-14234 python-django16: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [epel-7]
bugzilla·2019-08-01·CVSS 9.8
CVE-2019-14234 [CRITICAL] CVE-2019-14234 python-django16: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [epel-7]
CVE-2019-14234 python-django16: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discuss
Bugzilla
CVE-2019-14233 python-django16: Django: the behavior of the underlying HTMLParser leading to DoS [epel-7]
bugzilla·2019-08-01·CVSS 7.5
CVE-2019-14233 [HIGH] CVE-2019-14233 python-django16: Django: the behavior of the underlying HTMLParser leading to DoS [epel-7]
CVE-2019-14233 python-django16: Django: the behavior of the underlying HTMLParser leading to DoS [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the followi
Bugzilla
CVE-2019-14233 Django: the behavior of the underlying HTMLParser leading to DoS
bugzilla·2019-07-30·CVSS 7.5
CVE-2019-14233 [HIGH] CVE-2019-14233 Django: the behavior of the underlying HTMLParser leading to DoS
CVE-2019-14233 Django: the behavior of the underlying HTMLParser leading to DoS
Due to the behavior of the underlying HTMLParser, :func:django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding:tfilter:striptags template filter, which was thus also vulnerable.
Discussion:
Created python-django tracking bugs for this issue:
Affects: epel-7 [bug 1735772]
Affects: fedora-29 [bug 1735774]
Affects: fedora-30 [bug 1735775]
Created python-django16 tracking bugs for this issue:
Affects: epel-7 [bug 1735773]
---
External References:
https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
---
Upstream Patches for master branch, 1.
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.htmlhttps://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDshttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/https://seclists.org/bugtraq/2019/Aug/15https://security.gentoo.org/glsa/202004-17https://security.netapp.com/advisory/ntap-20190828-0002/https://www.debian.org/security/2019/dsa-4498https://www.djangoproject.com/weblog/2019/aug/01/security-releases/http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.htmlhttps://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDshttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/https://seclists.org/bugtraq/2019/Aug/15https://security.gentoo.org/glsa/202004-17https://security.netapp.com/advisory/ntap-20190828-0002/https://www.debian.org/security/2019/dsa-4498https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
2019-08-02
Published