{"id":"PYSEC-2018-6","details":"An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.","aliases":["CVE-2018-7537","GHSA-2f9x-5v75-3qv4"],"modified":"2023-11-08T04:00:22.875849Z","published":"2018-03-09T20:29:00Z","references":[{"type":"ARTICLE","url":"https://www.djangoproject.com/weblog/2018/mar/06/security-releases/"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html"},{"type":"WEB","url":"http://www.securityfocus.com/bid/103357"},{"type":"WEB","url":"https://usn.ubuntu.com/3591-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4161"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2927"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:0265"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-2f9x-5v75-3qv4"}],"affected":[{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.8"},{"fixed":"1.8.19"},{"introduced":"1.11"},{"fixed":"1.11.11"},{"introduced":"2.0"},{"fixed":"2.0.3"}]}],"versions":["1.11","1.11.1","1.11.10","1.11.2","1.11.3","1.11.4","1.11.5","1.11.6","1.11.7","1.11.8","1.11.9","1.8","1.8.1","1.8.10","1.8.11","1.8.12","1.8.13","1.8.14","1.8.15","1.8.16","1.8.17","1.8.18","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.8.8","1.8.9","2.0","2.0.1","2.0.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2018-6.yaml"}}],"schema_version":"1.7.3"}