Incorrect Regular Expression
CVE-2018-7537
Summary
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. The older branches are unsupported and might be vulnerable as well.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- LOW
CWE-185 - Incorrect Regular Expression
The software specifies a regular expression in a way that causes data to be improperly matched or compared.
References
Advisory Timeline
- Published