Is CVE-2023-43665 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 1%.

What products does CVE-2023-43665 affect?

Tracked products affected include Django. Check the version you run to see whether it is affected.

How do I fix CVE-2023-43665?

Apply the vendor fix promptly. An official patch or advisory is available. Upgrade affected products to a fixed version.

← All products

CVE-2023-43665

Q: What is CVE-2023-43665?

CVE-2023-43665 is a high-severity software vulnerability (CWE-1284) with a CVSS score of 7.5. In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with v

HIGH severity · CVSS 7.5 · CWE-1284

7.5CVSS HIGH

Summary

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactNone

Integrity impactNone

Availability impactHigh

Exploit probability (EPSS)1%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products we track (1)

Django

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://docs.djangoproject.com/en/4.2/releases/security/ ↗

CVE-2023-43665

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information