CVE-2018-7537 — MEDIUM (5.3)

Q: How severe is CVE-2018-7537?

CVE-2018-7537 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-7537?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Djangoproject Django, Debian Debian Linux.

Vulnerability Description

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

CVSS Score

5.3

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Canonical	Ubuntu Linux	14.04
Djangoproject	Django	>= 1.8, < 1.8.19
Debian	Debian Linux	7.0

Related Weaknesses (CWE)

CWE-185

References

http://www.securityfocus.com/bid/103357Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:2927Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0265Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/03/msg00006.htmlMailing ListThird Party Advisory
https://usn.ubuntu.com/3591-1/Third Party Advisory
https://www.debian.org/security/2018/dsa-4161Third Party Advisory
https://www.djangoproject.com/weblog/2018/mar/06/security-releases/Release NotesVendor Advisory
http://www.securityfocus.com/bid/103357Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:2927Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0265Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/03/msg00006.htmlMailing ListThird Party Advisory
https://usn.ubuntu.com/3591-1/Third Party Advisory
https://www.debian.org/security/2018/dsa-4161Third Party Advisory
https://www.djangoproject.com/weblog/2018/mar/06/security-releases/Release NotesVendor Advisory

FAQ

What is CVE-2018-7537?

CVE-2018-7537 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they we...

How severe is CVE-2018-7537?

CVE-2018-7537 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-7537?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Djangoproject Django, Debian Debian Linux.