Bug 2266045 (CVE-2024-27351) - CVE-2024-27351 python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
Summary: CVE-2024-27351 python-django: Potential regular expression denial-of-service ...
Keywords:
Status: NEW
Alias: CVE-2024-27351
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2266059 2266060 2266061 2267656 2267657 2267658 2274544 2274545 2274546 2274547 2266100 2266101 2267653 2267654 2267655
Blocks: 2266064
TreeView+ depends on / blocked
 
Reported: 2024-02-26 13:14 UTC by ybuenos
Modified: 2024-04-18 01:52 UTC (History)
48 users (show)

Fixed In Version: python-django 3.2.25, python-django 4.2.11, python-django 5.0.3
Doc Type: If docs needed, set a value
Doc Text:
An inefficient regular expression complexity flaw was found in the Truncator.words function and truncatewords_html filter of Django. This issue may allow an attacker to use a suitably crafted string to cause a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:1640 0 None None None 2024-04-02 19:30:37 UTC
Red Hat Product Errata RHSA-2024:1878 0 None None None 2024-04-18 01:52:17 UTC

Description ybuenos 2024-02-26 13:14:42 UTC 
You're receiving this message because you are on the security prenotification list for the Django web framework; information about this list can be 
found in our security policy [1].

In accordance with that policy, a set of security releases will be issued on Monday, March 4, 2024 around 900 UTC. This message contains descriptions
of the issue, descriptions of the changes which will be made to Django, and the patches which will be applied to Django.

``django.utils.text.Truncator.words()`` method (with ``html=True``) and
``truncatewords_html`` template filter were subject to a potential
regular expression denial-of-service attack using a suitably crafted string
(follow up to CVE-2019-14232 and CVE-2023-43665).

This issue has Moderate severity, according to the Django security policy [1].

Affected versions
=================

* Django 5.0
* Django 4.2
* Django 3.2

Resolution
==========

Included with this email are patches implementing the changes described above for each affected version of Django. On the release date, these patches 
will be applied to the Django development repository and the following releases will be issued along with disclosure of the issues:

* Django 5.0.3
* Django 4.2.11
* Django 3.2.25

[1] https://www.djangoproject.com/security/
Comment 7 Borja Tarraso 2024-03-04 09:27:09 UTC 
Created autotest-framework tracking bugs for this issue:

Affects: epel-all [bug 2267656]


Created python-django tracking bugs for this issue:

Affects: epel-all [bug 2267657]
Affects: fedora-all [bug 2267654]


Created python-django16 tracking bugs for this issue:

Affects: epel-all [bug 2267658]


Created python-django3 tracking bugs for this issue:

Affects: epel-all [bug 2267653]
Affects: fedora-all [bug 2267655]
Comment 8 errata-xmlrpc 2024-04-02 19:30:35 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640
Comment 11 errata-xmlrpc 2024-04-18 01:52:14 UTC 
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2024:1878 https://access.redhat.com/errata/RHSA-2024:1878
Note You need to log in before you can comment on or make changes to this bug.