Bug 2218004 (CVE-2023-36053)

Summary: CVE-2023-36053 python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, amctagga, aoconnor, apevec, bbuckingham, bcourt, bniver, caswilli, cwelton, davidn, dhughes, eglynn, ehelms, epacific, flucifre, gmeno, gtanzill, jcammara, jhardy, jjoyce, jmitchel, jneedle, jobarker, jsherril, jtanner, kaycoth, kshier, lhh, lzap, mabashia, mbenjamin, mburns, mgarciac, mhackett, mhulan, mminar, myarboro, nmoumoul, nweather, orabin, osapryki, pcreech, pgrist, rbiba, rchan, rhos-maint, security-response-team, simaishi, smcdonal, sostapov, sskracic, stcannon, teagle, tfister, vereddy, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-django 4.2.3, python-django 4.1.10, python-django 3.2.20 Doc Type: If docs needed, set a value
Doc Text:
A regular expression denial of service vulnerability has been found in Django. Email and URL validators are vulnerable to this flaw when processing a very large number of domain name labels of emails and URLs.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2218256, 2218258, 2218260, 2218262, 2218263, 2218264, 2219379, 2219381, 2219382, 2219383, 2218251, 2218252, 2218253, 2218254, 2218255, 2218257, 2218259, 2218261, 2218265, 2218266, 2218268, 2218269, 2218270, 2218272, 2219380    
Bug Blocks: 2218003    

Description Guilherme de Almeida Suckevicz 2023-06-27 19:24:07 UTC 
``EmailValidator`` and ``URLValidator`` were subject to potential regular expression denial of service attack via a very large number of domain name labels of emails and URLs.

Affected versions:
Django main development branch, Django 4.2, Django 4.1, Django 3.2
Comment 11 Guilherme de Almeida Suckevicz 2023-07-03 12:09:26 UTC 
Created python-django tracking bugs for this issue:

Affects: epel-all [bug 2219381]
Affects: fedora-all [bug 2219383]


Created python-django16 tracking bugs for this issue:

Affects: epel-7 [bug 2219379]


Created python-django3 tracking bugs for this issue:

Affects: epel-8 [bug 2219380]
Affects: fedora-all [bug 2219382]