CVE-2023-43665: Django: CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator
First published: Wed Sep 27 2023(Updated: )
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/django | >=4.2<4.2.6 | 4.2.6 |
| pip/django | >=4.1<4.1.12 | 4.1.12 |
| pip/django | >=3.2<3.2.22 | 3.2.22 |
| Djangoproject Django | >=3.2<3.2.22 | |
| Djangoproject Django | >=4.1<4.1.12 | |
| Djangoproject Django | >=4.2<4.2.6 | |
| Fedoraproject Fedora | =39 | |
| ubuntu/python-django | <4.2.6<4.1.12<3.2.22 | 4.2.6 4.1.12 3.2.22 |
| ubuntu/python-django | <2:2.2.12-1ubuntu0.20 | 2:2.2.12-1ubuntu0.20 |
| ubuntu/python-django | <2:3.2.12-2ubuntu1.9 | 2:3.2.12-2ubuntu1.9 |
| ubuntu/python-django | <3:3.2.18-1ubuntu0.5 | 3:3.2.18-1ubuntu0.5 |
| ubuntu/python-django | <1:1.11.11-1ubuntu1.21+ | 1:1.11.11-1ubuntu1.21+ |
| ubuntu/python-django | <3:4.2.4-1ubuntu2 | 3:4.2.4-1ubuntu2 |
| redhat/python-django | <3.2.22 | 3.2.22 |
| redhat/python-django | <4.1.12 | 4.1.12 |
| redhat/python-django | <4.2.6 | 4.2.6 |
| debian/python-django | <=1:1.11.29-1~deb10u1<=1:1.11.29-1+deb10u11<=2:2.2.28-1~deb11u2<=3:3.2.19-1+deb12u1 | 3:4.2.11-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2023-43665
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2023/oct/04/security-releases/
- https://github.com/django/django/commit/be9c27c4d18c2e6a5be8af4e53c0797440794473
- https://github.com/django/django/commit/c7b7024742250414e426ad49fb80db943e7ba4e8
- https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-226.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://github.com/advisories/GHSA-h8gc-pgj2-vjm3 (Advisory)
- https://security.netapp.com/advisory/ntap-20231221-0001/
- https://launchpad.net/bugs/cve/CVE-2023-43665
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43665
- https://ubuntu.com/security/notices/USN-6414-1
- https://ubuntu.com/security/notices/USN-6414-2
- https://security-tracker.debian.org/tracker/CVE-2023-43665
- https://ubuntu.com/security/CVE-2023-43665
- https://www.openwall.com/lists/oss-security/2023/10/04/6
- https://github.com/django/django/commit/17b51094d778b421bb2b3aae0c270894b050455d
- https://access.redhat.com/security/cve/CVE-2019-14232
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2242182
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2242180
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2242181
- https://access.redhat.com/errata/RHSA-2023:5758
- https://access.redhat.com/errata/RHSA-2023:6158
- https://access.redhat.com/errata/RHSA-2024:1536
- https://access.redhat.com/errata/RHSA-2024:1878
- https://access.redhat.com/errata/RHSA-2024:2010
- https://bugzilla.redhat.com/show_bug.cgi?id=2241046
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/
- http://www.openwall.com/lists/oss-security/2024/03/04/1
- https://docs.djangoproject.com/en/4.2/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU
- https://security.netapp.com/advisory/ntap-20231221-0001
- https://www.djangoproject.com/weblog/2023/oct/04/security-releases
Frequently Asked Questions
What is the vulnerability ID of this security issue?
The vulnerability ID of this security issue is CVE-2023-43665.
What is the title of this vulnerability?
The title of this vulnerability is "Django: CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator".
What is the description of this vulnerability?
The description of this vulnerability is "Denial-of-service possibility in django.utils.text.Truncator".
What software is affected by this vulnerability?
The affected software is python-django version 4.2.6, 4.1.12, and 3.2.22 on Ubuntu, version 2:2.2.12-1ubuntu0.20 on Ubuntu Focal, version 2:3.2.12-2ubuntu1.9 on Ubuntu Jammy, version 3:3.2.18-1ubuntu0.5 on Ubuntu Lunar, and version 1:1.11.11-1ubuntu1.21+ on Ubuntu Bionic.
How can I fix this vulnerability?
To fix this vulnerability, update your python-django package to the recommended version provided by your operating system vendor or follow the instructions in the official security release from Django.
- collector/oss-sec
- alias/CVE-2023-43665
- collector/github-advisory
- alias/GHSA-h8gc-pgj2-vjm3
- agent/weakness
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/remedy
- agent/title
- agent/severity
- agent/description
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/tags
- collector/nvd-api
- agent/last-modified-date
- collector/github-advisory-latest
- source/GitHub
- package-manager/pip
- package-manager/ubuntu
- vendor/djangoproject
- canonical/djangoproject django
- version/djangoproject django/3.2
- version/djangoproject django/4.1
- version/djangoproject django/4.2
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/39
- package-manager/debian
- package-manager/redhat