CVE-2018-7537

Impact:: Moderate
Public Date:: 2018-03-06
CWE:: CWE-20->CWE-400

Bugzilla:: 1549779: CVE-2018-7537 django: Catastrophic backtracking in regular expressions via 'truncatechars_html' and 'truncatewords_html'

The MITRE CVE dictionary describes this issue as:

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

Find out more about CVE-2018-7537 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the versions of django as shipped with Red Hat Subscription Asset Manager. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

CVSS v3 metrics

CVSS3 Base Score	5.3
CVSS3 Base Metrics	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality	None
Integrity Impact	None
Availability Impact	Low

Red Hat Security Errata

Platform	Errata	Release Date
Red Hat Satellite 6.4 for RHEL 7 (python-django)	RHSA-2018:2927	2018-10-16
Red Hat Satellite 6.4 for RHEL 7 (python-django)	RHSA-2018:2927	2018-10-16

Affected Packages State

Platform	Package	State
Red Hat Subscription Asset Manager 1	Django	Will not fix
Red Hat Storage Console 2	python-django	Will not fix
Red Hat Satellite 6	python-django	Affected
Red Hat OpenStack Platform Operational Tools 9	python-django	Will not fix
Red Hat OpenStack Platform 9.0	python-django	Will not fix
Red Hat OpenStack Platform 8.0 (Liberty)	python-django	Will not fix
Red Hat OpenStack Platform 13.0 (Queens)	python-django	Will not fix
Red Hat OpenStack Platform 12.0	python-django	Will not fix
Red Hat OpenStack Platform 11.0 (Ocata)	python-django	Will not fix
Red Hat OpenStack Platform 10	python-django	Will not fix
Red Hat Gluster Storage 3	python-django	Affected
Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7	python-django	Will not fix
Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7	python-django	Will not fix
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7	python-django	Will not fix
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7	python-django	Will not fix
Red Hat Ceph Storage 3	python-django	Affected
Red Hat Ceph Storage 2	python-django	Affected
Red Hat Ceph Storage 1.3	python-django	Affected

Acknowledgements

Red Hat would like to thank the Django project for reporting this issue.

External References

https://www.djangoproject.com/weblog/2018/mar/06/security-releases/

Last Modified 2018-10-17T04:25:50+00:00

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories