{"id":"CVE-2019-14232","details":"An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.","aliases":["GHSA-c4qh-4vgv-qc6g","PYSEC-2019-11"],"modified":"2026-05-18T05:50:38.006955902Z","published":"2019-08-02T15:15:11.880Z","related":["SUSE-SU-2019:2180-1","SUSE-SU-2019:2257-1","SUSE-SU-2019:2335-1","openSUSE-SU-2019:1839-1","openSUSE-SU-2019:1872-1","openSUSE-SU-2024:11205-1","openSUSE-SU-2024:13887-1","openSUSE-SU-2024:14208-1","openSUSE-SU-2026:10005-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"15.1"}],"vendor_product":"opensuse:leap","source":"CPE_FIELD","cpes":["cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"]}]},"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/10/04/6"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/03/04/1"},{"type":"WEB","url":"https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/"},{"type":"WEB","url":"https://seclists.org/bugtraq/2019/Aug/15"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202004-17"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20190828-0002/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4498"},{"type":"ADVISORY","url":"https://www.djangoproject.com/weblog/2019/aug/01/security-releases/"},{"type":"FIX","url":"https://docs.djangoproject.com/en/dev/releases/security/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"c669cf279ae7b3e02a61db4fb077030a4db80e4f"},{"fixed":"974897759e9afc4cc56fb87e12319fa9697e93c9"},{"introduced":"df591468251ed489a3e147d7c359f387f4effe66"},{"fixed":"ff9dcc0867eba90e9ab1b07a4b3eb79928717918"},{"introduced":"2a62cdcfec85938f40abb2e9e6a9ff497e02afe8"},{"fixed":"8687fbe034ac5eec20e0948b98eb8a2f0b1431a1"}],"database_specific":{"extracted_events":[{"introduced":"1.11"},{"fixed":"1.11.23"},{"introduced":"2.1"},{"fixed":"2.1.11"},{"introduced":"2.2"},{"fixed":"2.2.4"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-14232.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}