CVE-2019-14232

CVSS 7.5 HIGHEPSS 3.5%CWE-400

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 7.5EPSS 3.5%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

02 ago 2019Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Produtos afetados

n/a · n/a

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html https://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/https://seclists.org/bugtraq/2019/Aug/15 https://security.gentoo.org/glsa/202004-17 https://security.netapp.com/advisory/ntap-20190828-0002/https://www.debian.org/security/2019/dsa-4498 https://www.djangoproject.com/weblog/2019/aug/01/security-releases/http://www.openwall.com/lists/oss-security/2023/10/04/6 http://www.openwall.com/lists/oss-security/2024/03/04/1