CVE-2024-53907
published 2024-12-06CVE-2024-53907: An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject…
PriorityP337high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.37%
68.5th percentile
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:3.2.25-0+deb12u1 (bookworm) | python-django 3:3.2.25-0+deb12u1 (bookworm) |
| djangoproject | django | >= 4.2 < 4.2.17 | 4.2.17 |
| djangoproject | django | >= 4.2 < 4.2.17 | 4.2.17 |
| djangoproject | django | >= 4.2.0 < 4.2.17 | 4.2.17 |
| djangoproject | django | >= 5.0 < 5.0.10 | 5.0.10 |
| djangoproject | django | >= 5.0 < 5.0.10 | 5.0.10 |
| djangoproject | django | >= 5.0.0 < 5.0.10 | 5.0.10 |
| djangoproject | django | >= 5.1 < 5.1.4 | 5.1.4 |
| djangoproject | django | >= 5.1 < 5.1.4 | 5.1.4 |
| djangoproject | django | >= 5.1.0 < 5.1.4 | 5.1.4 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Django denial-of-service in django.utils.html.strip_tags()
ghsa·2024-12-06
CVE-2024-53907 [MEDIUM] CWE-770 Django denial-of-service in django.utils.html.strip_tags()
Django denial-of-service in django.utils.html.strip_tags()
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
OSV
CVE-2024-53907: An issue was discovered in Django 5
osv·2024-12-06·CVSS 7.5
CVE-2024-53907 [HIGH] CVE-2024-53907: An issue was discovered in Django 5
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
OSV
Django denial-of-service in django.utils.html.strip_tags()
osv·2024-12-06
CVE-2024-53907 [MEDIUM] Django denial-of-service in django.utils.html.strip_tags()
Django denial-of-service in django.utils.html.strip_tags()
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
OSV
python-django vulnerabilities
osv·2024-12-04·CVSS 7.5
CVE-2024-53907 [HIGH] python-django vulnerabilities
python-django vulnerabilities
jiangniao discovered that Django incorrectly handled the API to strip tags.
A remote attacker could possibly use this issue to cause Django to
consume resources, leading to a denial of service. (CVE-2024-53907)
Seokchan Yoon discovered that Django incorrectly handled HasKey lookups
when using Oracle. A remote attacker could possibly use this issue to
inject arbitrary SQL code. This issue only affected Ubuntu 24.04 LTS and
Ubuntu 24.10. (CVE-2024-53908)
OSV
python-django vulnerability
osv·2024-12-04·CVSS 7.5
CVE-2024-53907 [HIGH] python-django vulnerability
python-django vulnerability
USN-7136-1 fixed a vulnerability in Django. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
jiangniao discovered that Django incorrectly handled the API to strip
tags. A remote attacker could possibly use this issue to cause Django to
consume resources, leading to a denial of service. (CVE-2024-53907)
Seokchan Yoon discovered that Django incorrectly handled HasKey lookups
when using Oracle. A remote attacker could possibly use this issue to
inject arbitrary SQL code. This issue only affected Ubuntu 24.04 LTS and
Ubuntu 24.10. (CVE-2024-53908)
Red Hat
django: Potential denial-of-service in django.utils.html.strip_tags()
vendor_redhat·2024-12-04·CVSS 7.5
CVE-2024-53907 [HIGH] CWE-1169 django: Potential denial-of-service in django.utils.html.strip_tags()
django: Potential denial-of-service in django.utils.html.strip_tags()
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
A vulnerability was found in the Django Web Framework. The strip_tags() and stripbtags template filter may be vulnerable to a potential denial of service (DoS) in cases of a large sequence of nested incomplete HTML entities.
Statement: This vulnerability is rated as a Moderate severity because it exposes the strip_tags() method and striptags template filter to a potential denial-of-service attack, malicious input containing large sequences o
Ubuntu
Django vulnerability
vendor_ubuntu·2024-12-04·CVSS 7.5
CVE-2024-53907 [HIGH] Django vulnerability
Title: Django vulnerability
Summary: Several security issues were fixed in Django.
USN-7136-1 fixed a vulnerability in Django. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
jiangniao discovered that Django incorrectly handled the API to strip
tags. A remote attacker could possibly use this issue to cause Django to
consume resources, leading to a denial of service. (CVE-2024-53907)
Seokchan Yoon discovered that Django incorrectly handled HasKey lookups
when using Oracle. A remote attacker could possibly use this issue to
inject arbitrary SQL code. This issue only affected Ubuntu 24.04 LTS and
Ubuntu 24.10. (CVE-2024-53908)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2024-12-04·CVSS 7.5
CVE-2024-53907 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
jiangniao discovered that Django incorrectly handled the API to strip tags.
A remote attacker could possibly use this issue to cause Django to
consume resources, leading to a denial of service. (CVE-2024-53907)
Seokchan Yoon discovered that Django incorrectly handled HasKey lookups
when using Oracle. A remote attacker could possibly use this issue to
inject arbitrary SQL code. This issue only affected Ubuntu 24.04 LTS and
Ubuntu 24.10. (CVE-2024-53908)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2024-53907: python-django - An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 b...
vendor_debian·2024·CVSS 7.5
CVE-2024-53907 [HIGH] CVE-2024-53907: python-django - An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 b...
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u3)
forky: resolved (fixed in 3:4.2.17-1)
sid: resolved (fixed in 3:4.2.17-1)
trixie: resolved (fixed in 3:4.2.17-1)
No detection rules found.
No public exploits indexed.
2024-12-06
Published