Django -- multiple vulnerabilities

2024-08-0100:00:00

vuxml.freebsd.org

django

multiple vulnerabilities

memory exhaustion

denial-of-service

potential

sql injection

queryset

values

values_list

adminurlfieldwidget

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.4

Confidence

Low

EPSS

0.001

Percentile

30.6%

JSON

Django reports:

CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat().
CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize().
CVE-2024-41991: Potential denial-of-service vulnerability in
django.utils.html.urlize() and AdminURLFieldWidget.
CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list().

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchpy39-django42< 4.2.15UNKNOWN
FreeBSDanynoarchpy310-django42< 4.2.15UNKNOWN
FreeBSDanynoarchpy311-django42< 4.2.15UNKNOWN
FreeBSDanynoarchpy310-django50< 5.0.8UNKNOWN
FreeBSDanynoarchpy311-django50< 5.0.8UNKNOWN

OS	Version	Architecture	Package	Version	Filename
FreeBSD	any	noarch	py39-django42	< 4.2.15	UNKNOWN
FreeBSD	any	noarch	py310-django42	< 4.2.15	UNKNOWN
FreeBSD	any	noarch	py311-django42	< 4.2.15	UNKNOWN
FreeBSD	any	noarch	py310-django50	< 5.0.8	UNKNOWN
FreeBSD	any	noarch	py311-django50	< 5.0.8	UNKNOWN