CVE-2019-14233 - log back

CVE-2019-14233 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable. strip_tags() now avoids recursive calls to HTMLParser when progress removing tags, but necessarily incomplete HTML entities, stops being made
References
+ https://docs.djangoproject.com/en/dev/releases/1.11.23/
+ https://github.com/django/django/commit/4b78420d250df5e21763633871e486ee76728cc4
Notes