Lucene search

GitHub Advisory DatabaseGHSA-795C-9XPC-XW6G

HistoryAug 07, 2024 - 3:30 p.m.

Django vulnerable to a denial-of-service attack

2024-08-0715:30:42

CWE-130

GitHub Advisory Database

github.com

django 5.0.8

django 4.2.15

urlize

urlizetrunc

template filters

denial-of-service

attack

large inputs

specific sequence

characters

software

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.5

Confidence

Low

EPSS

0.001

Percentile

21.9%

JSON

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

Affected configurations

Vulners

Node

djangoRange<4.2.15

djangoRange<5.0.8

VendorProductVersionCPE
*django*cpe:2.3:a:*:django:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	django	*	cpe:2.3:a::django::::::::*

References

docs.djangoproject.com/en/dev/releases/security

github.com/advisories/GHSA-795c-9xpc-xw6g

github.com/django/django/commit/7b7b909579c8311c140c89b8a9431bf537febf93

github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88

github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-68.yaml

nvd.nist.gov/vuln/detail/CVE-2024-41990

www.djangoproject.com/weblog/2024/aug/06/security-releases

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.5

Confidence

Low

EPSS

0.001

Percentile

21.9%

JSON

Related for GHSA-795C-9XPC-XW6G