An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.
References
Link | Resource |
---|---|
http://www.securityfocus.com/bid/103361 | Third Party Advisory VDB Entry |
https://access.redhat.com/errata/RHSA-2018:2927 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2019:0051 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2019:0082 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2019:0265 | Third Party Advisory |
https://github.com/django/django/commit/1ca63a66ef3163149ad822701273e8a1844192c2 | |
https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16 | |
https://github.com/django/django/commit/e157315da3ae7005fa0683ffc9751dbeca7306c8 | |
https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html | Mailing List Third Party Advisory |
https://usn.ubuntu.com/3591-1/ | Third Party Advisory |
https://www.debian.org/security/2018/dsa-4161 | Third Party Advisory |
https://www.djangoproject.com/weblog/2018/mar/06/security-releases/ | Release Notes Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2018-03-09T00:00:00
Updated: 2023-12-07T22:05:43.713862
Reserved: 2018-02-26T00:00:00
Link: CVE-2018-7536
JSON object: View
NVD Information
Status : Modified
Published: 2018-03-09T20:29:00.613
Modified: 2023-12-07T22:15:07.663
Link: CVE-2018-7536
JSON object: View
Redhat Information
No data.
CWE