CVE-2019-14233: Input Validation
First published: Tue Jul 30 2019(Updated: )
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/python-django | 1:1.11.29-1~deb10u1 1:1.11.29-1+deb10u10 2:2.2.28-1~deb11u2 3:3.2.19-1+deb12u1 3:3.2.21-1 3:4.2.6-1 | |
| redhat/python-django | <0:1.11.27-1.el7 | 0:1.11.27-1.el7 |
| redhat/python-django | <0:2.1.11-1.el8 | 0:2.1.11-1.el8 |
| redhat/python-django | <1.11.23 | 1.11.23 |
| redhat/python-django | <2.1.11 | 2.1.11 |
| redhat/python-django | <2.2.4 | 2.2.4 |
| pip/Django | >=2.2a1<2.2.4 | 2.2.4 |
| pip/Django | >=2.1a1<2.1.11 | 2.1.11 |
| pip/Django | >=1.11a1<1.11.23 | 1.11.23 |
| djangoproject Django | >=1.11<1.11.23 | |
| djangoproject Django | >=2.1<2.1.11 | |
| djangoproject Django | >=2.2<2.2.4 | |
| openSUSE | =15.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-14233
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs
- https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/
- https://seclists.org/bugtraq/2019/Aug/15
- https://security.gentoo.org/glsa/202004-17
- https://security.netapp.com/advisory/ntap-20190828-0002/
- https://www.debian.org/security/2019/dsa-4498
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
- https://github.com/advisories/GHSA-h5jv-4p7w-64jg (Advisory)
- https://github.com/django/django/commit/e34f3c0e9ee5fc9022428fe91640638bafd4cda7
- https://github.com/django/django/commit/52479acce792ad80bb0f915f20b835f919993c72
- https://security-tracker.debian.org/tracker/CVE-2019-14233
- https://www.cve.org/CVERecord?id=CVE-2019-14233 https://nvd.nist.gov/vuln/detail/CVE-2019-14233 https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
- https://bugzilla.redhat.com/show_bug.cgi?id=1734410
- https://access.redhat.com/errata/RHSA-2020:4390
- https://access.redhat.com/errata/RHSA-2020:1324
- https://access.redhat.com/security/cve/cve-2019-14233
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1735772
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1735774
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1735775
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1735773
- https://github.com/django/django/commit/4b78420d250df5e21763633871e486ee76728cc4
- https://github.com/django/django/commit/5ff8e791148bd451180124d76a55cb2b2b9556eb
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1746613
- https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/
- https://docs.djangoproject.com/en/dev/releases/security
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-12.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK
- https://security.netapp.com/advisory/ntap-20190828-0002
- https://www.djangoproject.com/weblog/2019/aug/01/security-releases
Frequently Asked Questions
What is CVE-2019-14233?
CVE-2019-14233 is a vulnerability in Django versions 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4.
What is the severity of CVE-2019-14233?
CVE-2019-14233 has a severity rating of 7.5 (high).
How does CVE-2019-14233 affect Django?
CVE-2019-14233 affects Django by causing the django.utils.html.strip_tags function to be extremely slow in evaluating certain inputs containing large sequences of nested incomplete HTML entities.
What are the affected versions of Django?
The affected versions of Django are 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4.
How do I fix CVE-2019-14233?
To fix CVE-2019-14233, upgrade Django to version 1.11.23, 2.1.11, or 2.2.4, depending on the version you are currently using.
- collector/security-tracker-debian
- collector/redhat-cve
- agent/author
- agent/type
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-14233
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/description
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-h5jv-4p7w-64jg
- agent/last-modified-date
- agent/references
- collector/github-advisory
- agent/softwarecombine
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/debian
- package-manager/redhat
- package-manager/pip
- vendor/djangoproject
- canonical/djangoproject django
- version/djangoproject django/1.11
- version/djangoproject django/2.1
- version/djangoproject django/2.2
- vendor/opensuse
- canonical/opensuse
- version/opensuse/15.1