NVD Vulnerability Detail

CVE-2018-7537

Summary	An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.
Publication Date	March 10, 2018, 5:29 a.m.
Registration Date	March 1, 2021, 7:38 p.m.
Last Update	Nov. 21, 2024, 1:12 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:17.10:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.securityfocus.com/bid/103357	Third Party Advisory VDB Entry
2	http://www.securityfocus.com/bid/103357	Third Party Advisory VDB Entry
3	https://access.redhat.com/errata/RHSA-2018:2927	Third Party Advisory
4	https://access.redhat.com/errata/RHSA-2018:2927	Third Party Advisory
5	https://access.redhat.com/errata/RHSA-2019:0265	Third Party Advisory
6	https://access.redhat.com/errata/RHSA-2019:0265	Third Party Advisory
7	https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html	Mailing List Third Party Advisory
8	https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html	Mailing List Third Party Advisory
9	https://usn.ubuntu.com/3591-1/	Third Party Advisory
10	https://usn.ubuntu.com/3591-1/	Third Party Advisory
11	https://www.debian.org/security/2018/dsa-4161	Third Party Advisory
12	https://www.debian.org/security/2018/dsa-4161	Third Party Advisory
13	https://www.djangoproject.com/weblog/2018/mar/06/security-releases/	Release Notes Vendor Advisory
14	https://www.djangoproject.com/weblog/2018/mar/06/security-releases/	Release Notes Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-185	不正な正規表現	https://cwe.mitre.org/data/definitions/185.html

JVN Vulnerability Information

Django における不正な正規表現に関する脆弱性

Title	Django における不正な正規表現に関する脆弱性
Summary	Django には、不正な正規表現に関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 6, 2018, midnight
Registration Date	April 19, 2018, 5:02 p.m.
Last Update	April 19, 2018, 5:02 p.m.

Affected System

Debian

Debian GNU/Linux

Canonical

Ubuntu

Django Software Foundation

Django 1.11.11 未満の 1.11

Django 1.8.19 未満の 1.8

Django 2.0.3 未満の 2.0

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-7537	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7537
Django weblog
2	CVE-2018-7537: Denial-of-service possibility in truncatechars_html and truncatewords_html template filters	https://www.djangoproject.com/weblog/2018/mar/06/security-releases/
National Vulnerability Database (NVD)
3	CVE-2018-7537	https://nvd.nist.gov/vuln/detail/CVE-2018-7537

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-185	https://cwe.mitre.org/data/definitions/185.html

ベンダー情報

No	Name	URL
Debian
1	[SECURITY] [DLA 1303-1] python-django security update	https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html
Debian Security Advisory
2	DSA-4161	https://www.debian.org/security/2018/dsa-4161
Ubuntu Security Notice
3	USN-3591-1	https://usn.ubuntu.com/3591-1/

Change Log

No	Changed Details	Date of change
1	[2018年04月19日] 掲載	April 19, 2018, 5:02 p.m.