In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
[
{
"cpes": [
"cpe:2.3:a:django-rest-framework:django_rest_framework:*:*:*:*:*:*:*:*"
],
"vendor": "django-rest-framework",
"product": "django_rest_framework",
"versions": [
{
"status": "affected",
"version": "5.0",
"lessThan": "5.0.3",
"versionType": "semver"
}
],
"defaultStatus": "unknown"
}
]
www.openwall.com/lists/oss-security/2024/03/04/1
docs.djangoproject.com/en/5.0/releases/security/
groups.google.com/forum/#%21forum/django-announce
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/
www.djangoproject.com/weblog/2024/mar/04/security-releases/