GHSA-r28v-mw67-m5p9

Suggest an improvement
Source
https://github.com/advisories/GHSA-r28v-mw67-m5p9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-r28v-mw67-m5p9/GHSA-r28v-mw67-m5p9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r28v-mw67-m5p9
Aliases
Published
2019-01-04T17:50:07Z
Modified
2024-09-18T20:10:33.087017Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Django denial-of-service possibility in urlize and urlizetrunc template filters
Details

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.

References

Affected packages

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0a1
Fixed
2.0.3

Affected versions

2.*

2.0a1
2.0b1
2.0rc1
2.0
2.0.1
2.0.2

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.11a1
Fixed
1.11.11

Affected versions

1.*

1.11a1
1.11b1
1.11rc1
1.11
1.11.1
1.11.2
1.11.3
1.11.4
1.11.5
1.11.6
1.11.7
1.11.8
1.11.9
1.11.10

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.8a1
Fixed
1.8.19

Affected versions

1.*

1.8a1
1.8b1
1.8b2
1.8c1
1.8
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.8.7
1.8.8
1.8.9
1.8.10
1.8.11
1.8.12
1.8.13
1.8.14
1.8.15
1.8.16
1.8.17
1.8.18