CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
26.5%
A bug in Wagtail’s parse_query_string
would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, parse_query_string
would take an unexpectedly large amount of time to process, resulting in a denial of service.
In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses parse_query_string
, it may be exploitable by other users (e.g. unauthenticated users).
Patched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.
This vulnerability affects all unpatched versions from Wagtail 2.0 onwards.
Site owners who are unable to upgrade to a patched version can limit the length of search terms passed to parse_query_string
. Whilst the performance characteristics will depend on your hosting environment, 1000 characters has been shown to still be fairly fast, without triggering this vulnerability.
No workaround is available for the Wagtail admin usage.
Many thanks to Jake Howard for reporting this issue.
If you have any questions or comments about this advisory:
github.com/advisories/GHSA-jmp3-39vp-fwg8
github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2024-86.yaml
github.com/wagtail/wagtail/commit/31b1e8532dfb1b70d8d37d22aff9cbde9109cdf2
github.com/wagtail/wagtail/commit/3c941136f79c48446e3858df46e5b668d7f83797
github.com/wagtail/wagtail/commit/b783c096b6d4fd2cfc05f9137a0be288850e99a2
github.com/wagtail/wagtail/security/advisories/GHSA-jmp3-39vp-fwg8
nvd.nist.gov/vuln/detail/CVE-2024-39317
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
26.5%