CVE-2018-7536 — MEDIUM (5.3)

Q: How severe is CVE-2018-7536?

CVE-2018-7536 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-7536?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Djangoproject Django, Debian Debian Linux, Redhat Openstack.

Vulnerability Description

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.

CVSS Score

5.3

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Canonical	Ubuntu Linux	14.04
Djangoproject	Django	>= 1.8, < 1.8.19
Debian	Debian Linux	7.0
Redhat	Openstack	10

Related Weaknesses (CWE)

CWE-185

References

http://www.securityfocus.com/bid/103361Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:2927Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0051Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0082Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0265Third Party Advisory
https://github.com/django/django/commit/1ca63a66ef3163149ad822701273e8a1844192c2
https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16
https://github.com/django/django/commit/e157315da3ae7005fa0683ffc9751dbeca7306c8
https://lists.debian.org/debian-lts-announce/2018/03/msg00006.htmlMailing ListThird Party Advisory
https://usn.ubuntu.com/3591-1/Third Party Advisory
https://www.debian.org/security/2018/dsa-4161Third Party Advisory
https://www.djangoproject.com/weblog/2018/mar/06/security-releases/Release NotesVendor Advisory
http://www.securityfocus.com/bid/103361Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:2927Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0051Third Party Advisory

FAQ

What is CVE-2018-7536?

CVE-2018-7536 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophi...

How severe is CVE-2018-7536?

CVE-2018-7536 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-7536?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Djangoproject Django, Debian Debian Linux, Redhat Openstack.