In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator     (CVE-2023-36053)

  - In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the     django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are     subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue     exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. (CVE-2024-27351)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-5c7fb64c74 advisory.

  - An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The     intcomma template filter was subject to a potential denial-of-service attack when used with very long     strings. (CVE-2024-24680)

  - In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the     django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are     subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue     exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. (CVE-2024-27351)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-84fbbbb914 advisory.

  - In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are     subject to a potential ReDoS (regular expression denial of service) attack via a very large number of     domain name labels of emails and URLs. (CVE-2023-36053)

  - In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri()     is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of     Unicode characters. (CVE-2023-41164)

  - In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator     chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service)     attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods     are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also     vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. (CVE-2023-43665)

  - An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The     intcomma template filter was subject to a potential denial-of-service attack when used with very long     strings. (CVE-2024-24680)

  - In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the     django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are     subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue     exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. (CVE-2024-27351)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1878 advisory.

  - python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator     (CVE-2023-36053)

  - python-aiohttp: HTTP request smuggling via llhttp HTTP request parser (CVE-2023-37276)

  - python-django: Potential denial of service vulnerability in  ``django.utils.encoding.uri_to_iri()``     (CVE-2023-41164)

  - python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)

  - python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)

  - aiohttp: HTTP request modification (CVE-2023-49081)

  - aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)

  - python-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)

  - jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)

  - aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)

  - python-ecdsa: vulnerable to the Minerva attack (CVE-2024-23342)

  - python-aiohttp: http request smuggling (CVE-2024-23829)

  - Django: denial-of-service in ``intcomma`` template filter (CVE-2024-24680)

  - python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()     (CVE-2024-27351)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-2ec03ca8cb advisory.

  - An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The     intcomma template filter was subject to a potential denial-of-service attack when used with very long     strings. (CVE-2024-24680)

  - In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the     django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are     subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue     exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. (CVE-2024-27351)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1640 advisory.

  - golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests     (CVE-2023-39326)

  - GitPython: Blind local file inclusion (CVE-2023-41040)

  - axios: exposure of confidential data stored in cookies (CVE-2023-45857)

  - python-twisted: disordered HTTP pipeline response in twisted.web (CVE-2023-46137)

  - python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)

  - python-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)

  - golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)

  - jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)

  - aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)

  - python-aiohttp: http request smuggling (CVE-2024-23829)

  - Django: denial-of-service in ``intcomma`` template filter (CVE-2024-24680)

  - python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()     (CVE-2024-27351)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE- SU-2024:0902-1 advisory.

  - Django reports: CVE-2024-27351: Potential regular expression denial-of-service in     django.utils.text.Truncator.words(). (CVE-2024-27351)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the openSUSE- SU-2024:0080-1 advisory.

  - Django reports: CVE-2024-27351: Potential regular expression denial-of-service in     django.utils.text.Truncator.words(). (CVE-2024-27351)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 23.10 host has a package installed that is affected by a vulnerability as referenced in the USN-6674-1 advisory.

  - Django reports: CVE-2024-27351: Potential regular expression denial-of-service in     django.utils.text.Truncator.words(). (CVE-2024-27351)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 0ef3398e-da21-11ee-b23a-080027a5b8e9 advisory.

  - Django reports: CVE-2024-27351: Potential regular expression denial-of-service in     django.utils.text.Truncator.words(). (CVE-2024-27351)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-6674-2 advisory.

  - Django reports: CVE-2024-27351: Potential regular expression denial-of-service in     django.utils.text.Truncator.words(). (CVE-2024-27351)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
195424	RHEL 7 : python-django (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
194649	Fedora 40 : python-django (2024-5c7fb64c74)	Nessus	Fedora Local Security Checks	high
193650	Fedora 38 : python-django3 (2024-84fbbbb914)	Nessus	Fedora Local Security Checks	high
193467	RHEL 8 : RHUI 4.8 Release - Security Updates, Bug Fixes, and Enhancements (Moderate) (RHSA-2024:1878)	Nessus	Red Hat Local Security Checks	high
193457	Fedora 39 : python-django (2024-2ec03ca8cb)	Nessus	Fedora Local Security Checks	high
193086	RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update (Moderate) (RHSA-2024:1640)	Nessus	Red Hat Local Security Checks	high
192146	openSUSE 15 Security Update : python-Django (SUSE-SU-2024:0902-1)	Nessus	SuSE Local Security Checks	high
191897	openSUSE 15 Security Update : python-Django1 (openSUSE-SU-2024:0080-1)	Nessus	SuSE Local Security Checks	high
191500	Ubuntu 20.04 LTS / 22.04 LTS / 23.10 : Django vulnerability (USN-6674-1)	Nessus	Ubuntu Local Security Checks	high
191498	FreeBSD : Django -- multiple vulnerabilities (0ef3398e-da21-11ee-b23a-080027a5b8e9)	Nessus	FreeBSD Local Security Checks	high
191493	Ubuntu 18.04 LTS : Django vulnerability (USN-6674-2)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2024-27351

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high