CVE-2023-43665

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

History

21 Nov 2024, 08:24

Type Values Removed Values Added
References () http://www.openwall.com/lists/oss-security/2024/03/04/1 - () http://www.openwall.com/lists/oss-security/2024/03/04/1 -
References () https://docs.djangoproject.com/en/4.2/releases/security/ - Patch, Vendor Advisory () https://docs.djangoproject.com/en/4.2/releases/security/ - Patch, Vendor Advisory
References () https://groups.google.com/forum/#%21forum/django-announce - Permissions Required () https://groups.google.com/forum/#%21forum/django-announce - Permissions Required
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/ - Mailing List, Third Party Advisory () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/ - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/ -
References () https://security.netapp.com/advisory/ntap-20231221-0001/ - () https://security.netapp.com/advisory/ntap-20231221-0001/ -
References () https://www.djangoproject.com/weblog/2023/oct/04/security-releases/ - Vendor Advisory () https://www.djangoproject.com/weblog/2023/oct/04/security-releases/ - Vendor Advisory

01 May 2024, 17:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/03/04/1 -

20 Apr 2024, 03:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/ -

21 Dec 2023, 22:15

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20231221-0001/ -

13 Nov 2023, 15:29

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
First Time Fedoraproject
Djangoproject django
Fedoraproject fedora
Djangoproject
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/ - Mailing List, Third Party Advisory
References (MISC) https://docs.djangoproject.com/en/4.2/releases/security/ - (MISC) https://docs.djangoproject.com/en/4.2/releases/security/ - Patch, Vendor Advisory
References (CONFIRM) https://www.djangoproject.com/weblog/2023/oct/04/security-releases/ - (CONFIRM) https://www.djangoproject.com/weblog/2023/oct/04/security-releases/ - Vendor Advisory
References () https://groups.google.com/forum/#%21forum/django-announce - () https://groups.google.com/forum/#%21forum/django-announce - Permissions Required
CWE CWE-1284
CPE cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

07 Nov 2023, 04:21

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/', 'name': 'FEDORA-2023-a67af7d8f4', 'tags': [], 'refsource': 'FEDORA'}
  • {'url': 'https://groups.google.com/forum/#!forum/django-announce', 'name': 'https://groups.google.com/forum/#!forum/django-announce', 'tags': [], 'refsource': 'MISC'}
  • () https://groups.google.com/forum/#%21forum/django-announce -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/ -

03 Nov 2023, 22:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/ -

03 Nov 2023, 05:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-11-03 05:15

Updated : 2024-11-21 08:24


NVD link : CVE-2023-43665

Mitre link : CVE-2023-43665

CVE.ORG link : CVE-2023-43665


JSON object : View

Products Affected

djangoproject

  • django

fedoraproject

  • fedora
CWE
CWE-1284

Improper Validation of Specified Quantity in Input