{"id":"GHSA-2f9x-5v75-3qv4","summary":"Django Denial-of-service possibility in truncatechars_html and truncatewords_html template filters","details":"An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.","aliases":["CVE-2018-7537","PYSEC-2018-6"],"modified":"2024-11-27T05:25:46.502161Z","published":"2019-01-04T17:50:00Z","database_specific":{"severity":"LOW","nvd_published_at":null,"github_reviewed_at":"2020-06-16T20:51:51Z","cwe_ids":["CWE-185"],"github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7537"},{"type":"WEB","url":"https://github.com/django/django/commit/94c5da1d17a6b0d378866c66b605102c19f7988c"},{"type":"WEB","url":"https://github.com/django/django/commit/a91436360b79a6ff995c3e5018bcc666dfaf1539"},{"type":"WEB","url":"https://github.com/django/django/commit/d17974a287a6ea2e361daff88fcc004cbd6835fa"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2018:2927"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:0265"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-2f9x-5v75-3qv4"},{"type":"PACKAGE","url":"https://github.com/django/django"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2018-6.yaml"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html"},{"type":"WEB","url":"https://usn.ubuntu.com/3591-1"},{"type":"WEB","url":"https://www.debian.org/security/2018/dsa-4161"},{"type":"WEB","url":"https://www.djangoproject.com/weblog/2018/mar/06/security-releases"}],"affected":[{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.0"},{"fixed":"2.0.3"}]}],"versions":["2.0","2.0.1","2.0.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-2f9x-5v75-3qv4/GHSA-2f9x-5v75-3qv4.json"}},{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.11"},{"fixed":"1.11.11"}]}],"versions":["1.11","1.11.1","1.11.10","1.11.2","1.11.3","1.11.4","1.11.5","1.11.6","1.11.7","1.11.8","1.11.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-2f9x-5v75-3qv4/GHSA-2f9x-5v75-3qv4.json"}},{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.8"},{"fixed":"1.8.19"}]}],"versions":["1.8","1.8.1","1.8.10","1.8.11","1.8.12","1.8.13","1.8.14","1.8.15","1.8.16","1.8.17","1.8.18","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.8.8","1.8.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-2f9x-5v75-3qv4/GHSA-2f9x-5v75-3qv4.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"}]}