CVE-2018-7536
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2018-7536
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-7536.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-7536
- Aliases
- Related
- Published
- 2018-03-09T20:29:00Z
- Modified
- 2024-09-18T03:00:37.783168Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.
- References
-
- http://www.securityfocus.com/bid/103361
- https://access.redhat.com/errata/RHSA-2018:2927
- https://access.redhat.com/errata/RHSA-2019:0051
- https://access.redhat.com/errata/RHSA-2019:0082
- https://access.redhat.com/errata/RHSA-2019:0265
- https://www.debian.org/security/2018/dsa-4161
- https://www.djangoproject.com/weblog/2018/mar/06/security-releases/
- https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html
- https://github.com/django/django/commit/1ca63a66ef3163149ad822701273e8a1844192c2
- https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16
- https://github.com/django/django/commit/e157315da3ae7005fa0683ffc9751dbeca7306c8
- https://usn.ubuntu.com/3591-1/
- https://security.alpinelinux.org/vuln/CVE-2018-7536
- https://security-tracker.debian.org/tracker/CVE-2018-7536
Affected packages
Alpine:v3.10 / py-django
Package
- Name
- py-django
- Purl
- pkg:apk/alpine/py-django?arch=source
Alpine:v3.11 / py3-django
Package
- Name
- py3-django
- Purl
- pkg:apk/alpine/py3-django?arch=source
Alpine:v3.12 / py3-django
Package
- Name
- py3-django
- Purl
- pkg:apk/alpine/py3-django?arch=source
Alpine:v3.4 / py-django
Package
- Name
- py-django
- Purl
- pkg:apk/alpine/py-django?arch=source
Alpine:v3.5 / py-django
Package
- Name
- py-django
- Purl
- pkg:apk/alpine/py-django?arch=source
Alpine:v3.6 / py-django
Package
- Name
- py-django
- Purl
- pkg:apk/alpine/py-django?arch=source
Alpine:v3.7 / py-django
Package
- Name
- py-django
- Purl
- pkg:apk/alpine/py-django?arch=source
Alpine:v3.8 / py-django
Package
- Name
- py-django
- Purl
- pkg:apk/alpine/py-django?arch=source
Alpine:v3.9 / py-django
Package
- Name
- py-django
- Purl
- pkg:apk/alpine/py-django?arch=source
Debian:11 / python-django
Package
- Name
- python-django
- Purl
- pkg:deb/debian/python-django?arch=source
Debian:12 / python-django
Package
- Name
- python-django
- Purl
- pkg:deb/debian/python-django?arch=source
Debian:13 / python-django
Package
- Name
- python-django
- Purl
- pkg:deb/debian/python-django?arch=source
Git / github.com/django/django
Affected ranges
- Type
- GIT
- Repo
- https://github.com/django/django
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixed
Affected versions
1.*
1.0
1.1
1.11
1.11.1
1.11.10
1.11.2
1.11.3
1.11.4
1.11.5
1.11.6
1.11.7
1.11.8
1.11.9
1.11a1
1.11b1
1.11rc1
1.2
1.2.1
1.3
1.4
1.7a1
1.7a2
1.8
1.8.1
1.8.10
1.8.11
1.8.12
1.8.13
1.8.14
1.8.15
1.8.16
1.8.17
1.8.18
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.8.7
1.8.8
1.8.9
1.8a1
1.8b1
1.8b2
1.8c1
2.*
2.0
2.0.1
2.0.2
2.0a1
2.0b1
2.0rc1