CVE-2019-14232

CVSS V2 Medium 5 CVSS V3 High 7.5
Description
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.
Overview
  • CVE ID
  • CVE-2019-14232
  • Assigner
  • cve@mitre.org
  • Vulnerability Status
  • Modified
  • Published Version
  • 2019-08-02T15:15:11
  • Last Modified Date
  • 2020-08-24T17:37:01
Weakness Enumerations
CWE URL
CWE-400 http://cwe.mitre.org/data/definitions/400.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* 1 OR 1.11 1.11.23
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* 1 OR 2.1 2.1.11
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* 1 OR 2.2 2.2.4
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:N/C:N/I:N/A:P
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • NONE
  • Availability Impact
  • PARTIAL
  • Base Score
  • 5
  • Severity
  • MEDIUM
  • Exploitability Score
  • 10
  • Impact Score
  • 2.9
CVSS Version 3
  • Version
  • 3.0
  • Vector String
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • NONE
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • NONE
  • Availability Impact
  • HIGH
  • Base Score
  • 7.5
  • Base Severity
  • HIGH
  • Exploitability Score
  • 3.9
  • Impact Score
  • 3.6
References
Reference URL Reference Tags
https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ Vendor Advisory
https://docs.djangoproject.com/en/dev/releases/security/ Patch Vendor Advisory
https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html Third Party Advisory
https://seclists.org/bugtraq/2019/Aug/15
https://www.debian.org/security/2019/dsa-4498
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/
https://security.netapp.com/advisory/ntap-20190828-0002/
https://security.gentoo.org/glsa/202004-17
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2019-14232
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232
History
Created Old Value New Value Data Type Notes
2022-05-10 16:35:17 Added to TrackCVE
2022-12-04 00:28:15 2019-08-02T15:15Z 2019-08-02T15:15:11 CVE Published Date updated
2022-12-04 00:28:16 2020-08-24T17:37:01 CVE Modified Date updated
2022-12-04 00:28:16 Modified Vulnerability Status updated