CVE-2023-36053 — Regex Denial of Service in Django

CWE-1333 — Regex Denial of Service9 documents7 sources

Severity

7.5HIGHNVD

EPSS

9.6%

top 7.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django Debian Linux Fedoraproject Fedora

Timeline

PublishedJul 3

Latest updateJul 25

Description

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDdjangoproject/django3.2 — 3.2.20+2

▶PyPIdjangoproject/django3.2a1 — 3.2.20+2

Also affects: Debian Linux 10.0, 11.0, 12.0, Fedora 37, 38

Patches

Patch: www.djangoproject.com ↗Patch: www.djangoproject.com ↗

🔴Vulnerability Details

GHSA

Django has regular expression denial of service vulnerability in EmailValidator/URLValidator↗2023-07-03

▶

OSV

CVE-2023-36053: In Django 3↗2023-07-03

▶

OSV

Django has regular expression denial of service vulnerability in EmailValidator/URLValidator↗2023-07-03

▶

CVEList

CVE-2023-36053: In Django 3↗2023-07-03

▶

📋Vendor Advisories

Ubuntu

Django vulnerability↗2023-07-25

▶

Ubuntu

Django vulnerability↗2023-07-05

▶

Red Hat

python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator↗2023-07-03

▶

Debian

CVE-2023-36053: python-django - In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidat...↗2023

▶