CVE-2023-36053

HIGH

Django <3.2.20-4.1.10-4.2.3 - DoS

Title source: llm

Description

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.

References (9)

[Release Notes] https://docs.djangoproject.com/en/4.2/releases/security/

[Permissions Required] https://groups.google.com/forum/#%21forum/django-announce

[Patch, Vendor Advisory] https://www.djangoproject.com/weblog/2023/jul/03/security-releases/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/

[Mailing List] https://lists.debian.org/debian-lts-announce/2023/07/msg00022.html

[Third Party Advisory] https://www.debian.org/security/2023/dsa-5465

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/

Scores

CVSS v3 7.5

EPSS 0.0983

EPSS Percentile 93.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-1333

Status published

Products (7)

debian/debian_linux 10.0

debian/debian_linux 11.0

debian/debian_linux 12.0

djangoproject/django 3.2 - 3.2.20

fedoraproject/fedora 37

fedoraproject/fedora 38

pypi/Django 3.2a1 - 3.2.20PyPI

Published Jul 03, 2023

Tracked Since Feb 18, 2026