CVE-2018-7536

CVE-2018-7536

Name

CVE-2018-7536

Description

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Release Notes	https://www.djangoproject.com/weblog/2018/mar/06/security-releases/
Mailing List	https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html
Third Party Advisory	http://www.securityfocus.com/bid/103361
Third Party Advisory	https://usn.ubuntu.com/3591-1/
Third Party Advisory	https://www.debian.org/security/2018/dsa-4161
Third Party Advisory	https://access.redhat.com/errata/RHSA-2018:2927
Third Party Advisory	https://access.redhat.com/errata/RHSA-2019:0082
Third Party Advisory	https://access.redhat.com/errata/RHSA-2019:0051
Third Party Advisory	https://access.redhat.com/errata/RHSA-2019:0265
cve@mitre.org	https://github.com/django/django/commit/1ca63a66ef3163149ad822701273e8a1844192c2
cve@mitre.org	https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16
cve@mitre.org	https://github.com/django/django/commit/e157315da3ae7005fa0683ffc9751dbeca7306c8

Type

URI

Release Notes

https://www.djangoproject.com/weblog/2018/mar/06/security-releases/

Mailing List

https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html

Third Party Advisory

http://www.securityfocus.com/bid/103361

Third Party Advisory

https://usn.ubuntu.com/3591-1/

Third Party Advisory

https://www.debian.org/security/2018/dsa-4161

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2927

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0082

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0051

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0265

cve@mitre.org

https://github.com/django/django/commit/1ca63a66ef3163149ad822701273e8a1844192c2

cve@mitre.org

https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16

cve@mitre.org

https://github.com/django/django/commit/e157315da3ae7005fa0683ffc9751dbeca7306c8

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::`	ubuntu_linux	== None	== 14.04
`cpe:2.3:o:canonical:ubuntu_linux:17.10:::::::*`	ubuntu_linux	== None	== 17.10
`cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::`	ubuntu_linux	== None	== 16.04

CPE URI

Source package

Min version

Max version

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

ubuntu_linux

== None

== 14.04

cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*

ubuntu_linux

== None

== 17.10

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

ubuntu_linux

== None

== 16.04

References

Match rules

Vulnerable and fixed packages