Debian dla-4210 : python-django-doc - security update

high Nessus Plugin ID 238025

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4210 advisory.

- ------------------------------------------------------------------------- Debian LTS Advisory DLA-4210-1 [email protected] https://www.debian.org/lts/security/ Chris Lamb June 09, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python-django Version : 2:2.2.28-1~deb11u7 CVE IDs : CVE-2025-48432 CVE-2025-32873 CVE-2023-41164 CVE-2023-43665 CVE-2024-24680 CVE-2024-27351 Debian Bugs : 1107282 1104872 1051226

A number of vulnerabilities were discovered in Django, a popular Python-based web-development framework:

* CVE-2025-48432: Potential log injection via unescaped request path.

Django's internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals.
(Closes: #1107282)

* CVE-2025-32873: Denial-of-service possibility in strip_tags()

django.utils.html.strip_tags() would be slow to evaluate certain inputs containing large sequences of incomplete HTML tags. This function is used to implement the striptags template filter, which was therefore also vulnerable. strip_tags() now raises a SuspiciousOperation exception if it encounters an unusually large number of unclosed opening tags.
(Closes: #1104872)

* CVE-2023-41164: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri(). This method was subject to potential denial of service attack via certain inputs with a very large number of Unicode characters. (Closes: #1051226)

* CVE-2023-43665: Address a denial-of-service possibility in django.utils.text.Truncator.

Following the fix for CVE-2019-14232, the regular expressions used in the implementation of django.utils.text.Truncator??s chars() and words() methods (with html=True) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus also vulnerable. The input processed by Truncator, when operating in HTML mode, has been limited to the first five million characters in order to avoid potential performance and memory issues.

* CVE-2024-24680: Potential denial-of-service in intcomma template filter. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.

* CVE-2024-27351: Fix a potential regular expression denial-of-service (ReDoS) attack in django.utils.text.Truncator.words. This method (with html=True) and the truncatewords_html template filter were subject to a potential regular expression denial-of-service attack via a suitably crafted string. This is, in part, a follow up to CVE-2019-14232 and CVE-2023-43665.

For Debian 11 bullseye, these problems have been fixed in version 2:2.2.28-1~deb11u7.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the python-django-doc packages.

Plugin Details

Severity: High

ID: 238025

File Name: debian_DLA-4210.nasl

Version: 1.1

Type: local

Agent: unix

Family: Debian Local Security Checks

Published: 6/9/2025

Updated: 6/9/2025

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2019-14232

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2024-24680

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 6.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2023-43665

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:python-django-doc, p-cpe:/a:debian:debian_linux:python3-django

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 6/9/2025

Vulnerability Publication Date: 8/2/2019

Reference Information

CVE: CVE-2019-14232, CVE-2023-41164, CVE-2023-43665, CVE-2024-24680, CVE-2024-27351, CVE-2025-32873, CVE-2025-48432

Detections

Analytics