Vulnerability Description
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oracle | Solaris | 11.2 |
| Djangoproject | Django | 1.6 |
| Canonical | Ubuntu Linux | 10.04 |
| Fedoraproject | Fedora | 22 |
| Opensuse | Opensuse | 13.2 |
Related Weaknesses (CWE)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlThird Party Advisory
- http://www.securityfocus.com/bid/73322
- http://www.ubuntu.com/usn/USN-2539-1Third Party Advisory
- https://www.djangoproject.com/weblog/2015/mar/18/security-releases/PatchVendor Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlThird Party Advisory
- http://www.securityfocus.com/bid/73322
- http://www.ubuntu.com/usn/USN-2539-1Third Party Advisory
- https://www.djangoproject.com/weblog/2015/mar/18/security-releases/PatchVendor Advisory
FAQ
What is CVE-2015-2316?
CVE-2015-2316 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of servic...
How severe is CVE-2015-2316?
CVE-2015-2316 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-2316?
Check the references section above for vendor advisories and patch information. Affected products include: Oracle Solaris, Djangoproject Django, Canonical Ubuntu Linux, Fedoraproject Fedora, Opensuse Opensuse.