5.3

CVE-2018-7537

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CanonicalUbuntu Linux Version14.04 SwEditionlts
CanonicalUbuntu Linux Version16.04 SwEditionlts
CanonicalUbuntu Linux Version17.10
DjangoprojectDjango Version >= 1.8 < 1.8.19
DjangoprojectDjango Version >= 1.11 < 1.11.11
DjangoprojectDjango Version >= 2.0 < 2.0.3
DebianDebian Linux Version7.0
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.62% 0.905
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
CWE-185 Incorrect Regular Expression

The product specifies a regular expression in a way that causes data to be improperly matched or compared.

https://access.redhat.com/errata/RHSA-2018:2927
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0265
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html
Third Party Advisory
Mailing List
https://usn.ubuntu.com/3591-1/
Third Party Advisory
https://www.debian.org/security/2018/dsa-4161
Third Party Advisory
https://www.djangoproject.com/weblog/2018/mar/06/security-releases/
Vendor Advisory
Release Notes
http://www.securityfocus.com/bid/103357
Third Party Advisory
VDB Entry