Performance Impact in Django Framework's Text Processing Functions
CVE-2018-7537

5.3MEDIUM

Key Information:

Vendor
Canonical
Status
Ubuntu Linux
Vendor
CVE Published:
9 March 2018

Summary

A performance issue has been identified in the Django framework that affects the chars() and words() methods within the django.utils.text.Truncator when the html=True argument is used. This flaw can lead to significant slowdowns during evaluation of certain inputs, as it involves catastrophic backtracking in a regular expression. These methods are integral to the truncatechars_html and truncatewords_html template filters, thus rendering them vulnerable to performance degradation under specific conditions.

References

https://usn.ubuntu.com/3591-1/
vendor-advisoryx_refsource_UBUNTU
https://lists.debian.org/debian-lts-announce/2018/03/msg0...
mailing-listx_refsource_MLIST
https://www.djangoproject.com/weblog/2018/mar/06/security...
x_refsource_CONFIRM

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.