CVE-2023-43665 – django

Package

Manager: pip
Name: django
Vulnerable Version: >=3.2a1 <3.2.22 || >=4.1a1 <4.1.12 || >=4.2a1 <4.2.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01454 pctl0.80076

Details

Django Denial-of-service in django.utils.text.Truncator In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.

Metadata

Created: 2023-11-03T06:36:30Z
Modified: 2024-11-18T16:26:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-h8gc-pgj2-vjm3/GHSA-h8gc-pgj2-vjm3.json
CWE IDs: ["CWE-1284", "CWE-400"]
Alternative ID: GHSA-h8gc-pgj2-vjm3
Finding: F002
Auto approve: 1