Lucene search

[email protected]CVE-2018-7536

HistoryMar 09, 2018 - 8:29 p.m.

CVE-2018-7536

2018-03-0920:29:00

CWE-185

[email protected]

web.nvd.nist.gov

475

django

django 2.0

django 1.11

django 1.8

cve-2018-7536

html

urlize

vulnerability

nvd

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5.7 Medium

AI Score

Confidence

High

0.008 Low

EPSS

Percentile

82.1%

JSON

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.

Affected configurations

NVD

Node

canonicalubuntu_linuxMatch14.04lts

canonicalubuntu_linuxMatch16.04lts

canonicalubuntu_linuxMatch17.10

Node

djangoprojectdjangoRange1.8–1.8.19

djangoprojectdjangoRange1.11–1.11.11

djangoprojectdjangoRange2.0–2.0.3

Node

debiandebian_linuxMatch7.0

debiandebian_linuxMatch8.0

debiandebian_linuxMatch9.0

Node

redhatopenstackMatch10

redhatopenstackMatch13

CPENameOperatorVersion
canonical:ubuntu_linuxcanonical ubuntu linuxeq14.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq16.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq17.10

CPE	Name	Operator	Version
canonical:ubuntu_linux	canonical ubuntu linux	eq	14.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	16.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	17.10