CVE-2023-43665
published 2023-11-03CVE-2023-43665: In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True)…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.24%
65.3th percentile
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:3.2.25-0+deb12u1 (bookworm) | python-django 3:3.2.25-0+deb12u1 (bookworm) |
| djangoproject | django | >= 3.2 < 3.2.25 | 3.2.25 |
| djangoproject | django | >= 3.2 < 3.2.22 | 3.2.22 |
| djangoproject | django | >= 3.2 < 3.2.25 | 3.2.25 |
| djangoproject | django | >= 3.2a1 < 3.2.22 | 3.2.22 |
| djangoproject | django | >= 4.1 < 4.1.12 | 4.1.12 |
| djangoproject | django | >= 4.1a1 < 4.1.12 | 4.1.12 |
| djangoproject | django | >= 4.2 < 4.2.11 | 4.2.11 |
| djangoproject | django | >= 4.2 < 4.2.6 | 4.2.6 |
| djangoproject | django | >= 4.2 < 4.2.11 | 4.2.11 |
| djangoproject | django | >= 4.2a1 < 4.2.6 | 4.2.6 |
| djangoproject | django | >= 5.0 < 5.0.3 | 5.0.3 |
| djangoproject | django | >= 5.0 < 5.0.3 | 5.0.3 |
| fedoraproject | fedora | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-27351: In Django 3
osv·2024-03-15·CVSS 7.5
CVE-2024-27351 [HIGH] CVE-2024-27351: In Django 3
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
OSV
Regular expression denial-of-service in Django
osv·2024-03-15·CVSS 7.5
CVE-2024-27351 [HIGH] Regular expression denial-of-service in Django
Regular expression denial-of-service in Django
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
GHSA
Regular expression denial-of-service in Django
ghsa·2024-03-15·CVSS 7.5
CVE-2024-27351 [HIGH] CWE-1333 Regular expression denial-of-service in Django
Regular expression denial-of-service in Django
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
OSV
CVE-2023-43665: In Django 3
osv·2023-11-03·CVSS 7.5
CVE-2023-43665 [HIGH] CVE-2023-43665: In Django 3
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
GHSA
Django Denial-of-service in django.utils.text.Truncator
ghsa·2023-11-03·CVSS 7.5
CVE-2023-43665 [HIGH] CWE-1284 Django Denial-of-service in django.utils.text.Truncator
Django Denial-of-service in django.utils.text.Truncator
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
OSV
Django Denial-of-service in django.utils.text.Truncator
osv·2023-11-03·CVSS 7.5
CVE-2023-43665 [HIGH] Django Denial-of-service in django.utils.text.Truncator
Django Denial-of-service in django.utils.text.Truncator
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
OSV
python-django vulnerabilities
osv·2023-10-04·CVSS 7.5
CVE-2023-43665 [HIGH] python-django vulnerabilities
python-django vulnerabilities
USN-6414-1 and USN-6378-1 fixed CVE-2023-43665 and CVE-2023-41164 in Django,
respectively. This update provides the corresponding update for Ubuntu 18.04 LTS.
Original advisory details:
Wenchao Li discovered that the Django Truncator function incorrectly
handled very long HTML input. A remote attacker could possibly use this
issue to cause Django to consume resources, leading to a denial of service.
It was discovered that Django incorrectly handled certain URIs with a very
large number of Unicode characters. A remote attacker could possibly use
this issue to cause Django to consume resources or crash, leading to a
denial of service.
Red Hat
python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
vendor_redhat·2024-03-04·CVSS 7.5
CVE-2024-27351 [HIGH] CWE-1333 python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
An inefficient regular expression complexity flaw was found in the Truncator.words function and truncatewords_html filter of Django. This issue may allow an attacker to use a suitably crafted string to cause a denial of service.
Package: ansible-tower (Red Hat Ansible Automation Platform 1.2) - Not affected
Package: python-django (
Debian
CVE-2024-27351: python-django - In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django...
vendor_debian·2024·CVSS 7.5
CVE-2024-27351 [HIGH] CVE-2024-27351: python-django - In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django...
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u7)
forky: resolved (fixed in 3:4.2.11-1)
sid: resolved (fixed in 3:4.2.11-1)
trixie: resolved (fixed in 3:4.2.11-1)
Ubuntu
Django vulnerabilities
vendor_ubuntu·2023-10-04·CVSS 7.5
CVE-2023-43665 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
USN-6414-1 and USN-6378-1 fixed CVE-2023-43665 and CVE-2023-41164 in Django,
respectively. This update provides the corresponding update for Ubuntu 18.04 LTS.
Original advisory details:
Wenchao Li discovered that the Django Truncator function incorrectly
handled very long HTML input. A remote attacker could possibly use this
issue to cause Django to consume resources, leading to a denial of service.
It was discovered that Django incorrectly handled certain URIs with a very
large number of Unicode characters. A remote attacker could possibly use
this issue to cause Django to consume resources or crash, leading to a
denial of service.
Instructions: In general, a standard system update will make all the
Ubuntu
Django vulnerability
vendor_ubuntu·2023-10-04
CVE-2023-43665 Django vulnerability
Title: Django vulnerability
Summary: Django could be made to consume resources or crash if it received specially
crafted network traffic.
Wenchao Li discovered that the Django Truncator function incorrectly
handled very long HTML input. A remote attacker could possibly use this
issue to cause Django to consume resources, leading to a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
python-django: Denial-of-service possibility in django.utils.text.Truncator
vendor_redhat·2023-10-04·CVSS 7.5
CVE-2023-43665 [HIGH] CWE-1333 python-django: Denial-of-service possibility in django.utils.text.Truncator
python-django: Denial-of-service possibility in django.utils.text.Truncator
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
An inefficient regular expression complexity was found in Django. The text truncator regular expressions exhibit linear backtracking complexity, which can be slow, leading to a potential denial of service, given cert
Debian
CVE-2023-43665: python-django - In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django...
vendor_debian·2023·CVSS 7.5
CVE-2023-43665 [HIGH] CVE-2023-43665: python-django - In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django...
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u7)
forky: resolved (fixed in 3:4.2.6-1)
sid: resolved (fixed in 3:4.2.6-1)
trixie: resolved (fixed in 3:4.2.6-1)
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
hackerone·2024-04-28·CVSS 7.5
CVE-2024-27351 [HIGH] CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
# TL;DR
**CVE-2024-27351**: Potential regular expression denial-of-service in `django.utils.text.Truncator.words()`
# Details:
`django.utils.text.Truncator.words()` method (with `html=True`) and `truncatewords_html` template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665).
- The `Truncator` class truncates text based on word count.
- When the `html` flag is set, the internal `_truncate_html()` method is used.
- This method relies on regular expressions stored in variables (`re_chars` and `re_words`) to perform the truncation.
- These regular expressions are vulnerable to ReD
Bugzilla
CVE-2024-27351 python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
bugzilla·2024-02-26·CVSS 7.5
CVE-2024-27351 [HIGH] CVE-2024-27351 python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
CVE-2024-27351 python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
You're receiving this message because you are on the security prenotification list for the Django web framework; information about this list can be
found in our security policy [1].
In accordance with that policy, a set of security releases will be issued on Monday, March 4, 2024 around 900 UTC. This message contains descriptions
of the issue, descriptions of the changes which will be made to Django, and the patches which will be applied to Django.
``django.utils.text.Truncator.words()`` method (with ``html=True``) and
``truncatewords_html`` template filter were subject to a potential
regular expression denial-of-service attack using a suitably crafted string
(follow up to
Bugzilla
CVE-2023-43665 python-django: Denial-of-service possibility in django.utils.text.Truncator
bugzilla·2023-09-27·CVSS 7.5
CVE-2023-43665 [HIGH] CVE-2023-43665 python-django: Denial-of-service possibility in django.utils.text.Truncator
CVE-2023-43665 python-django: Denial-of-service possibility in django.utils.text.Truncator
Following the fix for CVE-2019-14232, the regular expressions used in the implementation of django.utils.text.Truncator’s chars() and words() methods (with html=True) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability.
The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus also vulnerable.
The input processed by Truncator, when operating in HTML mode, has been limited to the first five million characters in order
http://www.openwall.com/lists/oss-security/2024/03/04/1https://docs.djangoproject.com/en/4.2/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/https://security.netapp.com/advisory/ntap-20231221-0001/https://www.djangoproject.com/weblog/2023/oct/04/security-releases/http://www.openwall.com/lists/oss-security/2024/03/04/1https://docs.djangoproject.com/en/4.2/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/https://lists.fedoraproject.org/archives/list/[email protected]/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/https://security.netapp.com/advisory/ntap-20231221-0001/https://www.djangoproject.com/weblog/2023/oct/04/security-releases/
2023-11-03
Published