CVE-2024-41991

EPSS 0.28%
Published 07.08.2024 15:15:56
Last modified 07.08.2024 20:48:22
Source cve@mitre.org
Teams watchlist Login
Open Login

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.

Affected products Warnungen 0 Metrics 3 CWE 2 References 6

Data is provided by the National Vulnerability Database (NVD)

Djangoproject ≫ Django Version >= 4.2 < 4.2.15

Djangoproject ≫ Django Version >= 5.0 < 5.0.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.28%	0.51

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1284 Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

CWE-130 Improper Handling of Length Parameter Inconsistency

The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

https://docs.djangoproject.com/en/dev/releases/security/

Patch

Vendor Advisory

https://groups.google.com/forum/#%21forum/django-announce

Not Applicable

https://www.djangoproject.com/weblog/2024/aug/06/security-releases/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-41991

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-41991

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-41991

EUVD