CVE-2011-4137 — Synchronous Access of Remote Resource without Timeout in Django

CWE-1088 — Synchronous Access of Remote Resource without Timeout9 documents7 sources

Severity

5.0MEDIUMNVD

CNA6.4GHSA6.4OSV6.4

EPSS

1.9%

top 16.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedOct 19

Latest updateJul 23

Description

The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶PyPIdjangoproject/django1.3 — 1.3.1+1

▶NVDdjangoproject/django1.2.6+18

Patches

Patch: openwall.com ↗Patch: openwall.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

Denial of service in django↗2018-07-23

▶

OSV

Denial of service in django↗2018-07-23

▶

OSV

CVE-2011-4137: The verify_exists functionality in the URLField implementation in Django before 1↗2011-10-19

▶

CVEList

CVE-2011-4137: The verify_exists functionality in the URLField implementation in Django before 1↗2011-10-19

▶

📋Vendor Advisories

Ubuntu

Django vulnerabilities↗2011-12-09

▶

Debian

CVE-2011-4137: python-django - The verify_exists functionality in the URLField implementation in Django before ...↗2011

▶

💬Community

Bugzilla

CVE-2011-4136, CVE-2011-4137, CVE-2011-4138, CVE-2011-4139, CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws [epel-6]↗2011-09-30

▶

Bugzilla

CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws↗2011-09-11

▶