CVE-2018-7536

Impact:
Moderate
Public Date:
2018-03-06
CWE:
CWE-20->CWE-400
Bugzilla:
1549777: CVE-2018-7536 django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc'

The MITRE CVE dictionary describes this issue as:

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.

Find out more about CVE-2018-7536 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the versions of django as shipped with Red Hat Subscription Asset Manager. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

CVSS v3 metrics

CVSS3 Base Score 5.3
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact Low

Red Hat Security Errata

Platform Errata Release Date
Red Hat OpenStack Platform 10 (python-django) RHSA-2019:0051 2019-01-16
Red Hat Satellite 6.4 for RHEL 7 (python-django) RHSA-2018:2927 2018-10-16
Red Hat Satellite 6.4 for RHEL 7 (python-django) RHSA-2018:2927 2018-10-16
Red Hat OpenStack Platform 13.0 (Queens) (python-django) RHSA-2019:0082 2019-01-16
Red Hat Gluster Storage 3.4 for RHEL 7 (python-django) RHSA-2019:0265 2019-02-04
Red Hat Gluster Storage 3.4 for RHEL 7 RHSA-2019:0265 2019-02-04

Affected Packages State

Platform Package State
Red Hat Subscription Asset Manager 1 Django Will not fix
Red Hat Storage Console 2 python-django Will not fix
Red Hat Satellite 6 python-django Will not fix
Red Hat OpenStack Platform Operational Tools 9 python-django Will not fix
Red Hat OpenStack Platform 9.0 python-django Will not fix
Red Hat OpenStack Platform 8.0 (Liberty) python-django Will not fix
Red Hat OpenStack Platform 12.0 python-django Will not fix
Red Hat OpenStack Platform 11.0 (Ocata) python-django Will not fix
Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7 python-django Will not fix
Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7 python-django Will not fix
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 python-django Will not fix
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 python-django Will not fix
Red Hat Ceph Storage 3 python-django Will not fix
Red Hat Ceph Storage 2 python-django Will not fix
Red Hat Ceph Storage 1.3 python-django Will not fix

Acknowledgements

Red Hat would like to thank the Django project for reporting this issue.

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation