CVE-2009-3695Regex Denial of Service in Django

CWE-1333Regex Denial of ServiceCWE-400Uncontrolled Resource Consumption8 documents7 sources
Severity
5.0MEDIUMNVD
EPSS
6.2%
top 9.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Djangoproject Django
Timeline
PublishedOct 13
Latest updateMay 2

Description

Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

PyPIdjangoproject/django1.01.0.4+1
NVDdjangoproject/django1.0, 1.1+1

Patches

Patch: www.djangoproject.comPatch: www.securityfocus.comPatch: www.vupen.com

🔴Vulnerability Details

4
OSV
Django Regex Algorithmic Complexity Causes Denial of Service2022-05-02
GHSA
Django Regex Algorithmic Complexity Causes Denial of Service2022-05-02
CVEList
CVE-2009-3695: Algorithmic complexity vulnerability in the forms library in Django 12009-10-13
OSV
CVE-2009-3695: Algorithmic complexity vulnerability in the forms library in Django 12009-10-13

📋Vendor Advisories

2
Debian
CVE-2009-3695: python-django - Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1...2009
Red Hat
Django's forms DOS in 1.1/1.0

💬Community

1
Bugzilla
CVE-2009-3695 Django's forms DOS in 1.1/1.02009-10-10
CVE-2009-3695 — Regex Denial of Service in Django | cvebase