Catastrophic Backtracking in Django URL Handling Affecting Multiple Versions
CVE-2018-7536

5.3MEDIUM

Key Information:

Vendor
Canonical
Vendor
CVE Published:
9 March 2018

Summary

A performance issue arises in Django versions 2.0 (prior to 2.0.3), 1.11 (prior to 1.11.11), and 1.8 (prior to 1.8.19) due to catastrophic backtracking vulnerabilities in the django.utils.html.urlize() function. This vulnerability affects the evaluation speed of certain inputs, leveraging ineffective regular expressions. The urlize() function is integral for implementing the urlize and urlizetrunc template filters, thus exposing applications using these filters to potential performance degradation.

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.