CVE-2019-14232

Description

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

How to fix CVE-2019-14232

To remediate CVE-2019-14232, upgrade the affected package to a fixed version below.

• —upgrade to 1.11.23-r0 or later
• —upgrade to 1.11.23-r0 or later
• —upgrade to 1.7.11-1+deb8u7 or later
• —upgrade to 3:3.2.25-0+deb12u1 or later
• —upgrade to 1:1.10.7-2+deb9u6 or later
• —upgrade to 2:2.2.4-1 or later
• —upgrade to 1.11.23 or later
• —upgrade to 1.11.23 or later

Is CVE-2019-14232 being exploited?

Low — EPSS is 3.0%, meaning exploitation activity has not been observed at scale.

Affected packages (8)

• from 0, < 1.11.23-r0
• from 0, < 1.11.23-r0
• from 0, < 1.7.11-1+deb8u7
• from 0, < 3:3.2.25-0+deb12u1
• from 0, < 1:1.10.7-2+deb9u6
• from 0, < 2:2.2.4-1
• >= 1.11a1, < 1.11.23
• >= 1.11, < 1.11.23, >= 2.1, < 2.1.11, >= 2.2, < 2.2.4

CVSS scores

References (28)

• ADVISORYgithub.com/advisories/GHSA-c4qh-4vgv-qc6g
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-14232
• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2019-14232
• ADVISORYsecurity.netapp.com/advisory/ntap-20190828-0002/
• ADVISORY