Lucene search

Gentoo FoundationMGASA-2024-0075

HistoryMar 20, 2024 - 6:35 a.m.

Updated python-django package fixes a security vulnerability

2024-03-2006:35:18

Gentoo Foundation

advisories.mageia.org

python-django

security

vulnerability

truncator.words()

template filter

regular expression

denial-of-service

attack

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.3%

JSON

In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. (CVE-2024-27351)

OSVersionArchitecturePackageVersionFilename
Mageia9noarchpython-django< 4.1.13-1.1python-django-4.1.13-1.1.mga9

OS	Version	Architecture	Package	Version	Filename
Mageia	9	noarch	python-django	< 4.1.13-1.1	python-django-4.1.13-1.1.mga9

References

bugs.mageia.org/show_bug.cgi?id=32944

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.3%

JSON

Related for MGASA-2024-0075