QwikSec

Security Database

CVE

CWE

Training

CVE-2019-14232

Published: Aug 2, 2019

Modified: Aug 5, 2024

PUBLISHED

Description

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://docs.djangoproject.com/en/dev/releases/security/

https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs

https://www.djangoproject.com/weblog/2019/aug/01/security-releases/

openSUSE-SU-2019:1839

vendor-advisory

20190812 [SECURITY] [DSA 4498-1] python-django security update

mailing-list

vendor-advisory

openSUSE-SU-2019:1872

vendor-advisory

FEDORA-2019-647f74ce51

vendor-advisory

https://security.netapp.com/advisory/ntap-20190828-0002/

vendor-advisory

[oss-security] 20231004 Django: CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator

mailing-list

[oss-security] 20240304 Django: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.