REDHAT-BUG-2436340
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2436340?
The severity of REDHAT-BUG-2436340 is considered high due to potential denial of service risks.
How do I fix REDHAT-BUG-2436340?
To fix REDHAT-BUG-2436340, upgrade Django to versions 6.0.2, 5.2.11, or 4.2.28 or later.
What versions of Django are affected by REDHAT-BUG-2436340?
Django versions 6.0 prior to 6.0.2, 5.2 prior to 5.2.11, and 4.2 prior to 4.2.28 are affected by REDHAT-BUG-2436340.
What impact does REDHAT-BUG-2436340 have on web applications?
REDHAT-BUG-2436340 could allow a remote attacker to cause a denial of service in web applications using affected Django versions.
Is there a workaround for REDHAT-BUG-2436340 if I can't upgrade?
There are no specific workarounds for REDHAT-BUG-2436340; upgrading to a patched version is the recommended action.