Lucene search

GoogleOSV:GHSA-795C-9XPC-XW6G

HistoryAug 07, 2024 - 3:30 p.m.

Django vulnerable to a denial-of-service attack

2024-08-0715:30:42

Google

osv.dev

django

denial-of-service

vulnerability

urlize()

urlizetrunc()

template filters

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

21.9%

JSON

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

References

docs.djangoproject.com/en/dev/releases/security

github.com/django/django

github.com/django/django/commit/7b7b909579c8311c140c89b8a9431bf537febf93

github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88

github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-68.yaml

nvd.nist.gov/vuln/detail/CVE-2024-41990

www.djangoproject.com/weblog/2024/aug/06/security-releases

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

21.9%

JSON

Related for OSV:GHSA-795C-9XPC-XW6G