Arch Linux update for python-django
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2018-7536 CVE-2018-7537 |
| CWE-ID | CWE-20 CWE-400 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Arch Linux Operating systems & Components / Operating system |
| Vendor | Arch Linux |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU10952
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7536
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists in the django.utils.html.urlize() function due to insufficient validation of user-supplied input. A remote attacker can submit a specially crafted input and cause the service to crash.
Update the affected package python-django to version 1.11.11-1.
Vulnerable software versionsArch Linux: All versions
External linkshttp://security.archlinux.org/advisory/ASA-201803-5
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Resource exhaustion
EUVDB-ID: #VU11476
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7537
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the django.utils.html.urlize() function due to it was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions. The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. A remote attacker can cause the service to crash.
Update the affected package python-django to version 1.11.11-1.
Vulnerable software versionsArch Linux: All versions
External linkshttp://security.archlinux.org/advisory/ASA-201803-5
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
