Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-h8gc-pgj2-vjm3: Django Denial-of-service in django.utils.text.Truncator

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.

ghsa
#dos#git

Django Denial-of-service in django.utils.text.Truncator

Moderate severity GitHub Reviewed Published Nov 3, 2023 to the GitHub Advisory Database • Updated Nov 3, 2023

Related news

Red Hat Security Advisory 2024-2010-03

Red Hat Security Advisory 2024-2010-03 - An update is now available for Red Hat Satellite 6.15. The release contains a new version of Satellite and important security fixes for various components. Issues addressed include HTTP request smuggling, crlf injection, denial of service, file disclosure, and traversal vulnerabilities.

Red Hat Security Advisory 2024-1878-03

Red Hat Security Advisory 2024-1878-03 - An updated version of Red Hat Update Infrastructure is now available. RHUI 4.8 fixes several security an operational bugs, adds some new features and upgrades the underlying Pulp to a newer version. Issues addressed include HTTP request smuggling, crlf injection, denial of service, and traversal vulnerabilities.

CVE-2023-43665: Django security releases issued: 4.2.6, 4.1.12, and 3.2.22

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.

Red Hat Security Advisory 2023-6158-01

Red Hat Security Advisory 2023-6158-01 - An update is now available for Red Hat Ansible Automation Platform 2.4.

Ubuntu Security Notice USN-6414-2

Ubuntu Security Notice 6414-2 - USN-6414-1 and USN-6378-1 fixed CVE-2023-43665 and CVE-2023-41164 in Django, respectively. This update provides the corresponding update for Ubuntu 18.04 LTS. Wenchao Li discovered that the Django Truncator function incorrectly handled very long HTML input. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.

Ubuntu Security Notice USN-6414-1

Ubuntu Security Notice 6414-1 - Wenchao Li discovered that the Django Truncator function incorrectly handled very long HTML input. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.