CVE-2020-15225 Denial of Service vulnerability in django-filter

2021-04-2900:00:00

CWE-681

GitHub_M

www.cve.org

vulnerability

django-filter

dos

numberfilter

maxvaluevalidator

querysets

django

2.4.0+

exponential format

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.4

Confidence

High

EPSS

0.002

Percentile

61.6%

JSON

django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter before version 2.4.0, automatically generated NumberFilter instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a MaxValueValidator with a a default limit_value of 1e50 to the form field used by NumberFilter instances. In addition, NumberFilter implements the new get_max_validator() which should return a configured validator instance to customise the limit, or else None to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade.

CNA Affected

[
  {
    "vendor": "carltongibson",
    "product": "django-filter",
    "versions": [
      {
        "version": "< 2.4.0",
        "status": "affected"
      }
    ]
  }
]