ID CVE-2018-7537
Summary An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.
References
Vulnerable Configurations
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 17.10
    cpe:2.3:o:canonical:ubuntu_linux:17.10
  • Django Project Django 1.8 Beta 1
    cpe:2.3:a:djangoproject:django:1.8:beta1
  • Django Project Django 1.8.0
    cpe:2.3:a:djangoproject:django:1.8.0
  • Django Project Django 1.8.0 Alpha 1
    cpe:2.3:a:djangoproject:django:1.8.0:a1
  • Django Project Django 1.8.0 Beta 1
    cpe:2.3:a:djangoproject:django:1.8.0:b1
  • Django Project Django 1.8.0 Beta 2
    cpe:2.3:a:djangoproject:django:1.8.0:b2
  • Django Project Django 1.8.0 C1
    cpe:2.3:a:djangoproject:django:1.8.0:c1
  • Django Project Django 1.8.1
    cpe:2.3:a:djangoproject:django:1.8.1
  • Django Project Django 1.8.2
    cpe:2.3:a:djangoproject:django:1.8.2
  • Django Project Django 1.8.3
    cpe:2.3:a:djangoproject:django:1.8.3
  • Django Project Django 1.8.4
    cpe:2.3:a:djangoproject:django:1.8.4
  • Django Project Django 1.8.5
    cpe:2.3:a:djangoproject:django:1.8.5
  • Django Project Django 1.8.6
    cpe:2.3:a:djangoproject:django:1.8.6
  • Django Project Django 1.8.9
    cpe:2.3:a:djangoproject:django:1.8.9
  • Django Project Django 1.8.14
    cpe:2.3:a:djangoproject:django:1.8.14
  • Django Project Django 1.8.16
    cpe:2.3:a:djangoproject:django:1.8.16
  • Django Project Django 1.8.17
    cpe:2.3:a:djangoproject:django:1.8.17
  • Django Project Django 1.11
    cpe:2.3:a:djangoproject:django:1.11
  • Django Project Django 1.11.1
    cpe:2.3:a:djangoproject:django:1.11.1
  • Django Project Django 1.11.2
    cpe:2.3:a:djangoproject:django:1.11.2
  • Django Project Django 1.11.3
    cpe:2.3:a:djangoproject:django:1.11.3
  • Django Project Django 1.11.4
    cpe:2.3:a:djangoproject:django:1.11.4
  • Django Project Django 1.11.5
    cpe:2.3:a:djangoproject:django:1.11.5
  • Django Project Django 1.11.6
    cpe:2.3:a:djangoproject:django:1.11.6
  • Django Project Django 1.11.7
    cpe:2.3:a:djangoproject:django:1.11.7
  • Django Project Django 1.11.8
    cpe:2.3:a:djangoproject:django:1.11.8
  • Django Project Django 1.11.9
    cpe:2.3:a:djangoproject:django:1.11.9
  • Django Project Django 1.11.10
    cpe:2.3:a:djangoproject:django:1.11.10
  • Django Project Django 2.0
    cpe:2.3:a:djangoproject:django:2.0
  • Django Project Django 2.0.1
    cpe:2.3:a:djangoproject:django:2.0.1
  • Django Project Django 2.0.2
    cpe:2.3:a:djangoproject:django:2.0.2
  • Debian Linux 7.0
    cpe:2.3:o:debian:debian_linux:7.0
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
CVSS
Base: 5.0
Impact:
Exploitability:
CWE CWE-185
CAPEC
  • Command Delimiters
    An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
  • Flash Parameter Injection
    An attacker injects values to global parameters into a Flash movie embedded in an HTML document. These injected parameters are controlled through arguments in the URL used to access the embedding HTML document. As such, this is a form of HTTP parameter injection, but the abilities granted to the Flash document (such as access to a page's document model, including associated cookies) make this attack more flexible. The injected parameters can allow the attacker to control other objects within the Flash movie as well as full control over the parent document's DOM model.
  • Argument Injection
    An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4161.NASL
    description James Davis discovered two issues in Django, a high-level Python web development framework, that can lead to a denial-of-service attack. An attacker with control on the input of the django.utils.html.urlize() function or django.utils.text.Truncator's chars() and words() methods could craft a string that might stuck the execution of the application.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 108773
    published 2018-04-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108773
    title Debian DSA-4161-1 : python-django - security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-39CC0BC342.NASL
    description Update to 1.11.11 security release (CVE-2018-7536 CVE-2018-7537) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-03
    plugin id 120357
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120357
    title Fedora 28 : python2-django1.11 (2018-39cc0bc342)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2019-0265.NASL
    description Updated packages are now available for Red Hat Gluster Storage 3.4 Web Administration Batch Update 3 on Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat Gluster Storage Web Administration includes a fully automated setup based on Ansible and provides deep metrics and insights into active Gluster storage pools by using the Grafana platform. Red Hat Gluster Storage WebAdministration provides a dashboard view which allows an administrator to get a view of overall gluster health in terms of hosts, volumes, bricks, and other components of GlusterFS. Security Fix(es) : * django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc' (CVE-2018-7536) * django: Catastrophic backtracking in regular expressions via 'truncatechars_html' and 'truncatewords_html' (CVE-2018-7537) * django: Open redirect possibility in CommonMiddleware (CVE-2018-14574) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Django project for reporting CVE-2018-7536 and CVE-2018-7537. Users of Red Hat Gluster Storage Web Administration with Red Hat Gluster Storage are advised to upgrade to this updated package to fix these issues.
    last seen 2019-02-21
    modified 2019-02-06
    plugin id 121606
    published 2019-02-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121606
    title RHEL 7 : Storage Server (RHSA-2019:0265)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-BD1147F152.NASL
    description update to 1.11.11, fix CVE-2018-7536, CVE-2018-7537 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 108390
    published 2018-03-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108390
    title Fedora 27 : python-django (2018-bd1147f152)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-CCE0E0BD04.NASL
    description update to 2.0.3, fix CVE-2018-7536 (rhbz#1552178) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-03
    plugin id 120798
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120798
    title Fedora 28 : python-django (2018-cce0e0bd04)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1303.NASL
    description Several functions were extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in several regular expressions. CVE-2018-7536 The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions. The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. The problematic regular expressions are replaced with parsing logic that behaves similarly. CVE-2018-7537 If django.utils.text.Truncator’s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. The backtracking problem in the regular expression is fixed. For Debian 7 'Wheezy', these problems have been fixed in version 1.4.22-1+deb7u4. We recommend that you upgrade your python-django packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-31
    plugin id 107242
    published 2018-03-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107242
    title Debian DLA-1303-1 : python-django security update
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3591-1.NASL
    description James Davis discovered that Django incorrectly handled certain template filters. A remote attacker could possibly use this issue to cause Django to consume resources, resulting in a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 107194
    published 2018-03-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107194
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : python-django vulnerabilities (USN-3591-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2927.NASL
    description An update is now available for Red Hat Satellite 6.4 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Security Fix(es) : * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * hornetq: XXE/SSRF in XPath selector (CVE-2015-3208) * bouncycastle: Information disclosure in GCMBlockCipher (CVE-2015-6644) * bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data (CVE-2016-1000338) * bouncycastle: Information leak in AESFastEngine class (CVE-2016-1000339) * bouncycastle: Information exposure in DSA signature generation via timing attack (CVE-2016-1000341) * bouncycastle: ECDSA improper validation of ASN.1 encoding of signature (CVE-2016-1000342) * bouncycastle: DHIES implementation allowed the use of ECB mode (CVE-2016-1000344) * bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack (CVE-2016-1000345) * bouncycastle: Other party DH public keys are not fully validated (CVE-2016-1000346) * bouncycastle: ECIES implementation allowed the use of ECB mode (CVE-2016-1000352) * logback: Serialization vulnerability in SocketServer and ServerSocketReceiver (CVE-2017-5929) * python-django: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (CVE-2017-7233) * hibernate-validator: Privilege escalation when running under the security manager (CVE-2017-7536) * puppet: Environment leakage in puppet-agent (CVE-2017-10690) * Satellite 6: XSS in discovery rule filter autocomplete functionality (CVE-2017-12175) * foreman: Stored XSS in fact name or value (CVE-2017-15100) * pulp: sensitive credentials revealed through the API (CVE-2018-1090) * foreman: SQL injection due to improper handling of the widget id parameter (CVE-2018-1096) * foreman: Ovirt admin password exposed by foreman API (CVE-2018-1097) * django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc' (CVE-2018-7536) * django: Catastrophic backtracking in regular expressions via 'truncatechars_html' and 'truncatewords_html' (CVE-2018-7537) * guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service (CVE-2018-10237) * bouncycastle: Carry propagation bug in math.raw.Nat??? class (CVE-2016-1000340) * bouncycastle: DSA key pair generator generates a weak private key by default (CVE-2016-1000343) * puppet: Unpacking of tarballs in tar/mini.rb can create files with insecure permissions (CVE-2017-10689) * bouncycastle: BKS-V1 keystore files vulnerable to trivial hash collisions (CVE-2018-5382) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; and the Django project for reporting CVE-2017-7233, CVE-2018-7536, and CVE-2018-7537. The CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat); and the CVE-2018-1096 issue was discovered by Martin Povolny (Red Hat). Red Hat would also like to thank David Jorm (IIX Product Security) for reporting CVE-2015-3208. Additional Changes : This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 118185
    published 2018-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118185
    title RHEL 7 : Satellite Server (RHSA-2018:2927)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-318.NASL
    description This update for python3-Django to version 1.18.18 fixes multiple issues. Security issues fixed : - CVE-2018-7537: Fixed catastrophic backtracking in django.utils.text.Truncator. (bsc#1083305) - CVE-2018-7536: Fixed catastrophic backtracking in urlize and urlizetrunc template filters (bsc#1083304). - CVE-2016-7401: CSRF protection bypass on a site with Google Analytics (bsc#1001374). - CVE-2016-2513: User enumeration through timing difference on password hasher work factor upgrade (bsc#968000). - CVE-2016-2512: Fixed malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth (bsc#967999). - CVE-2016-9013: User with hardcoded password created when running tests on Oracle (bsc#1008050). - CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True (bsc#1008047). - CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() (bsc#1031451). - CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (bsc#1031450). - CVE-2017-12794: Fixed XSS possibility in traceback section of technical 500 debug page (bsc#1056284)
    last seen 2019-02-21
    modified 2018-03-27
    plugin id 108641
    published 2018-03-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108641
    title openSUSE Security Update : python3-Django (openSUSE-2018-318)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-317.NASL
    description This update for python-Django to version 1.18.18 fixes multiple issues. Security issues fixed : - CVE-2018-7537: Fixed catastrophic backtracking in django.utils.text.Truncator. (bsc#1083305) - CVE-2018-7536: Fixed catastrophic backtracking in urlize and urlizetrunc template filters (bsc#1083304). - CVE-2016-7401: CSRF protection bypass on a site with Google Analytics (bsc#1001374). - CVE-2016-2513: User enumeration through timing difference on password hasher work factor upgrade (bsc#968000). - CVE-2016-2512: Fixed malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth (bsc#967999). - CVE-2016-9013: User with hardcoded password created when running tests on Oracle (bsc#1008050). - CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True (bsc#1008047). - CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() (bsc#1031451). - CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (bsc#1031450). - CVE-2017-12794: Fixed XSS possibility in traceback section of technical 500 debug page (bsc#1056284)
    last seen 2019-02-21
    modified 2018-03-27
    plugin id 108640
    published 2018-03-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108640
    title openSUSE Security Update : python-Django (openSUSE-2018-317)
redhat via4
advisories
  • rhsa
    id RHSA-2018:2927
  • rhsa
    id RHSA-2019:0265
refmap via4
bid 103357
confirm https://www.djangoproject.com/weblog/2018/mar/06/security-releases/
debian DSA-4161
mlist [debian-lts-announce] 20180308 [SECURITY] [DLA 1303-1] python-django security update
ubuntu USN-3591-1
Last major update 09-03-2018 - 15:29
Published 09-03-2018 - 15:29
Last modified 28-02-2019 - 17:37
Back to Top