Denial of Service Vulnerability in Django Framework Affecting Specific Versions
CVE-2023-43665

7.5HIGH

Key Information:

Vendor: Djangoproject
Status: Django
Vendor: CVE Published:; 3 November 2023

What is CVE-2023-43665?

In specific versions of the Django framework, potential Denial of Service attacks can be executed through the django.utils.text.Truncator's chars() and words() methods. When these methods are invoked with html=True using extremely long or malformed HTML inputs, they may lead to severe resource exhaustion, compromising application availability. This vulnerability specifically impacts the truncatechars_html and truncatewords_html template filters, which rely on the aforementioned methods, making them susceptible to abuse. Owing to an incomplete fix from a prior vulnerability, developers should take immediate action to protect their applications.

References

https://groups.google.com/forum/#%21forum/django-announce

https://docs.djangoproject.com/en/4.2/releases/security/

https://www.djangoproject.com/weblog/2023/oct/04/security...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 3, 2023
Vulnerability Reserved
Sep 20, 2023

Djangoproject

What is CVE-2023-43665?

References

CVSS V3.1

Timeline