CVE-2023-43665
Denial of Service (DoS) vulnerability in django (PyPI)
What is CVE-2023-43665 About?
This Denial of Service (DoS) vulnerability affects Django versions 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6. It stems from an incomplete fix for CVE-2019-14232, where specially crafted, very long, and potentially malformed HTML text can exhaust system resources. Exploitation is possible if an attacker can provide such input to the vulnerable `truncatechars_html` or `truncatewords_html` template filters.
Affected Software
- django
- >4.2a1, <4.2.6
- >3.2, <3.2.22
- >4.1a1, <4.1.12
- >3.2a1, <3.2.22
Technical Details
The Django framework, specifically in versions 3.2 (before 3.2.22), 4.1 (before 4.1.12), and 4.2 (before 4.2.6), is vulnerable to a Denial of Service (DoS) due to an incomplete fix for a prior vulnerability (CVE-2019-14232). The django.utils.text.Truncator's chars() and words() methods, when used with html=True (which are called by the truncatechars_html and truncatewords_html template filters), are susceptible to resource exhaustion. An attacker can provide a very long and malformed HTML string as input to these filters. The parsing and manipulation of this complex yet potentially inefficiently structured HTML by the vulnerable methods can lead to excessive CPU and memory consumption, causing the server to become unresponsive and resulting in a denial of service.
What is the Impact of CVE-2023-43665?
Successful exploitation may allow attackers to cause a denial of service, making the Django application unresponsive or unavailable to legitimate users.
What is the Exploitability of CVE-2023-43665?
Exploitation of this DoS vulnerability requires an attacker to submit a specially crafted, very long, and potentially malformed HTML string to a Django application that uses the truncatechars_html or truncatewords_html template filters. The complexity is moderate, requiring an understanding of how to create HTML that triggers inefficient processing. No specific authentication or elevated privileges are typically required for the initial input, as these filters often process user-supplied content. The attack is remote, provided the attacker can submit HTML via a web interface or API. The likelihood of exploitation increases in applications that display user-generated content and use these vulnerable HTML-truncation filters without limiting input size or applying robust sanitization before truncation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-43665?
Available Upgrade Options
- django
- >3.2a1, <3.2.22 → Upgrade to 3.2.22
- django
- >4.1a1, <4.1.12 → Upgrade to 4.1.12
- django
- >4.2a1, <4.2.6 → Upgrade to 4.2.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/
- https://www.djangoproject.com/weblog/2023/oct/04/security-releases/
- https://osv.dev/vulnerability/GHSA-h8gc-pgj2-vjm3
- https://github.com/django/django
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://www.djangoproject.com/weblog/2023/oct/04/security-releases/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D
- https://github.com/django/django/commit/be9c27c4d18c2e6a5be8af4e53c0797440794473
- https://security.netapp.com/advisory/ntap-20231221-0001/
What are Similar Vulnerabilities to CVE-2023-43665?
Similar Vulnerabilities: CVE-2019-14232 , CVE-2022-3097 , CVE-2023-28456 , CVE-2023-29402 , CVE-2023-42468
