CVE-2023-36053

EPSS 4.8%
Published 03.07.2023 13:15:09
Last modified 21.11.2024 08:09:14
Source cve@mitre.org
Teams watchlist Login
Open Login

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.

Affected products Warnungen 0 Metrics 3 CWE 1 References 11

Data is provided by the National Vulnerability Database (NVD)

Djangoproject ≫ Django Version >= 3.2 < 3.2.20

Djangoproject ≫ Django Version >= 4.0 < 4.1.10

Djangoproject ≫ Django Version >= 4.2 < 4.2.3

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Debian ≫ Debian Linux Version12.0

Fedoraproject ≫ Fedora Version37

Fedoraproject ≫ Fedora Version38

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	4.8%	0.89

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://groups.google.com/forum/#%21forum/django-announce

Permissions Required

https://docs.djangoproject.com/en/4.2/releases/security/

Release Notes

https://lists.debian.org/debian-lts-announce/2023/07/msg00022.html

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A/

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS/

Third Party Advisory

Mailing List