High severityNVD Advisory· Published Nov 3, 2023· Updated Nov 4, 2025
CVE-2023-43665
CVE-2023-43665
Description
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 3.2a1, < 3.2.22 | 3.2.22 |
DjangoPyPI | >= 4.1a1, < 4.1.12 | 4.1.12 |
DjangoPyPI | >= 4.2a1, < 4.2.6 | 4.2.6 |
Affected products
19- osv-coords18 versionspkg:bitnami/djangopkg:pypi/djangopkg:rpm/opensuse/python-Django1&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/python-Django1&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/python-Django4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django6&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/python-Django&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/python-Django&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Django1&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Django1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-Django1&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/python-Django1&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/python-Django&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2015%20SP5
>= 3.2.0, < 3.2.22+ 17 more
- (no CPE)range: >= 3.2.0, < 3.2.22
- (no CPE)range: >= 3.2a1, < 3.2.22
- (no CPE)range: < 1.11.29-bp154.2.9.1
- (no CPE)range: < 1.11.29-bp155.4.6.1
- (no CPE)range: < 4.2.14-1.1
- (no CPE)range: < 6.0-1.1
- (no CPE)range: < 2.2.28-bp154.2.15.1
- (no CPE)range: < 2.2.28-bp155.7.6.1
- (no CPE)range: < 4.2.6-1.1
- (no CPE)range: < 1.11.29-3.53.1
- (no CPE)range: < 1.11.29-3.53.1
- (no CPE)range: < 1.11.29-bp154.2.9.1
- (no CPE)range: < 1.11.29-bp155.4.6.1
- (no CPE)range: < 1.11.29-3.54.1
- (no CPE)range: < 1.11.29-3.54.1
- (no CPE)range: < 1.11.29-3.54.1
- (no CPE)range: < 2.2.28-bp154.2.15.1
- (no CPE)range: < 2.2.28-bp155.7.6.1
Patches
Vulnerability mechanics
References
21- github.com/advisories/GHSA-h8gc-pgj2-vjm3ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2023-43665ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/03/04/1ghsamailing-listWEB
- docs.djangoproject.com/en/4.2/releases/securityghsaWEB
- github.com/django/django/commit/be9c27c4d18c2e6a5be8af4e53c0797440794473ghsaWEB
- github.com/django/django/commit/c7b7024742250414e426ad49fb80db943e7ba4e8ghsaWEB
- github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-226.yamlghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSUghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4DghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSUghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4DghsaWEB
- security.netapp.com/advisory/ntap-20231221-0001ghsaWEB
- www.djangoproject.com/weblog/2023/oct/04/security-releasesghsaWEB
- docs.djangoproject.com/en/4.2/releases/security/mitre
- security.netapp.com/advisory/ntap-20231221-0001/mitre
- www.djangoproject.com/weblog/2023/oct/04/security-releases/mitre
News mentions
0No linked articles in our index yet.