Bug 2218004 (CVE-2023-36053) - CVE-2023-36053 python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator
Summary: CVE-2023-36053 python-django: Potential regular expression denial of service ...
Keywords:
Status: NEW
Alias: CVE-2023-36053
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2219379 2219381 2218251 2218252 2218253 2218254 2218255 2218256 2218257 2218258 2218259 2218261 2218262 2218263 2218264 2218265 2218266 2218268 2218269 2218270 2218272 2219380 2219382 2219383 2238377
Blocks: 2218003
TreeView+ depends on / blocked
 
Reported: 2023-06-27 19:24 UTC by Guilherme de Almeida Suckevicz
Modified: 2024-04-18 01:51 UTC (History)
57 users (show)

Fixed In Version: python-django 4.2.3, python-django 4.1.10, python-django 3.2.20
Doc Type: If docs needed, set a value
Doc Text:
A regular expression denial of service vulnerability has been found in Django. Email and URL validators are vulnerable to this flaw when processing a very large number of domain name labels of emails and URLs.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:4692 0 None None None 2023-08-21 17:04:53 UTC
Red Hat Product Errata RHSA-2023:4693 0 None None None 2023-08-21 21:49:41 UTC
Red Hat Product Errata RHSA-2023:5931 0 None None None 2023-10-19 13:13:12 UTC
Red Hat Product Errata RHSA-2023:6818 0 None None None 2023-11-08 14:17:29 UTC
Red Hat Product Errata RHSA-2024:0212 0 None None None 2024-01-16 14:35:51 UTC
Red Hat Product Errata RHSA-2024:1878 0 None None None 2024-04-18 01:51:35 UTC

Description Guilherme de Almeida Suckevicz 2023-06-27 19:24:07 UTC 
``EmailValidator`` and ``URLValidator`` were subject to potential regular expression denial of service attack via a very large number of domain name labels of emails and URLs.

Affected versions:
Django main development branch, Django 4.2, Django 4.1, Django 3.2
Comment 11 Guilherme de Almeida Suckevicz 2023-07-03 12:09:26 UTC 
Created python-django tracking bugs for this issue:

Affects: epel-all [bug 2219381]
Affects: fedora-all [bug 2219383]


Created python-django16 tracking bugs for this issue:

Affects: epel-7 [bug 2219379]


Created python-django3 tracking bugs for this issue:

Affects: epel-8 [bug 2219380]
Affects: fedora-all [bug 2219382]
Comment 17 errata-xmlrpc 2023-08-21 17:04:51 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2023:4692 https://access.redhat.com/errata/RHSA-2023:4692
Comment 18 errata-xmlrpc 2023-08-21 21:49:39 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2023:4693 https://access.redhat.com/errata/RHSA-2023:4693
Comment 20 errata-xmlrpc 2023-10-19 13:13:10 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.13 for RHEL 8

Via RHSA-2023:5931 https://access.redhat.com/errata/RHSA-2023:5931
Comment 21 errata-xmlrpc 2023-11-08 14:17:25 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.14 for RHEL 8

Via RHSA-2023:6818 https://access.redhat.com/errata/RHSA-2023:6818
Comment 22 errata-xmlrpc 2024-01-16 14:35:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1

Via RHSA-2024:0212 https://access.redhat.com/errata/RHSA-2024:0212
Comment 26 errata-xmlrpc 2024-04-18 01:51:33 UTC 
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2024:1878 https://access.redhat.com/errata/RHSA-2024:1878
Note You need to log in before you can comment on or make changes to this bug.