ghsa-xxj9-f6rv-m3x4
Vulnerability from github
Published
2024-02-07 00:30
Modified
2024-04-20 03:30
Severity
Summary
Django denial-of-service attack in the intcomma template filter
Details
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "django"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.24"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "django"
},
"ranges": [
{
"events": [
{
"introduced": "4.2"
},
{
"fixed": "4.2.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "django"
},
"ranges": [
{
"events": [
{
"introduced": "5.0"
},
{
"fixed": "5.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-24680"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2024-02-07T17:32:14Z",
"nvd_published_at": "2024-02-06T22:16:15Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.",
"id": "GHSA-xxj9-f6rv-m3x4",
"modified": "2024-04-20T03:30:33Z",
"published": "2024-02-07T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24680"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/16a8fe18a3b81250f4fa57e3f93f0599dc4895bc"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/572ea07e84b38ea8de0551f4b4eda685d91d09d2"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/c1171ffbd570db90ca206c30f8e2b9f691243820"
},
{
"type": "WEB",
"url": "https://docs.djangoproject.com/en/5.0/releases/security"
},
{
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-28.yaml"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Django denial-of-service attack in the intcomma template filter"
}
Loading...