CVE-2023-43665 (Medium) detected in Django-3.2.21-py3-none-any.whl - autoclosed

[mend-bolt-for-github]

CVE-2023-43665 - Medium Severity Vulnerability

Vulnerable Library - Django-3.2.21-py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/97/8d/03ac2f7a3f751f597be12c03a09147f9ca80906264044bb05758bbcc2b32/Django-3.2.21-py3-none-any.whl

Dependency Hierarchy:

• ❌ Django-3.2.21-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 4f267b5314b032c9de388aeb1653b03f28f84bf5

Found in base branch: main

Vulnerability Details

Following the fix for CVE-2019-14232, the regular expressions used in the implementation of django.utils.text.Truncator’s chars() and words() methods (with html=True) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability.

Publish Date: 2023-09-22

URL: CVE-2023-43665

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2023-43665

Release Date: 2023-09-22

Fix Resolution: Django - 3.2.22,4.1.12,4.2.6

---

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.