CVE-2013-0306
published 2013-05-02CVE-2013-0306: The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource…
PriorityP421medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
2.57%
83.3th percentile
The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | python-django | < python-django 1.4.4-1 (bookworm) | python-django 1.4.4-1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 1.3 < 1.3.6 | 1.3.6 |
| djangoproject | django | >= 1.4 < 1.4.4 | 1.4.4 |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_ubuntu6.4MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Django is vulnerable to Denial of Service attack in formset
osv·2022-05-05
CVE-2013-0306 [MEDIUM] Django is vulnerable to Denial of Service attack in formset
Django is vulnerable to Denial of Service attack in formset
The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter.
GHSA
Django is vulnerable to Denial of Service attack in formset
ghsa·2022-05-05
CVE-2013-0306 [MEDIUM] CWE-400 Django is vulnerable to Denial of Service attack in formset
Django is vulnerable to Denial of Service attack in formset
The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter.
OSV
CVE-2013-0306: The form library in Django 1
osv·2013-05-02·CVSS 5.0
CVE-2013-0306 [MEDIUM] CVE-2013-0306: The form library in Django 1
The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2013-03-07·CVSS 6.4
CVE-2012-4520 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
James Kettle discovered that Django did not properly filter the Host HTTP
header when processing certain requests. An attacker could exploit this to
generate and display arbitrary URLs to users. Although this issue had been
previously addressed in USN-1632-1, this update adds additional hardening
measures to host header validation. This update also adds a new
ALLOWED_HOSTS setting that can be set to a list of acceptable values for
headers. (CVE-2012-4520)
Orange Tsai discovered that Django incorrectly performed permission checks
when displaying the history view in the admin interface. An administrator
could use this flaw to view the history of any object, regardless of
intended permissions. (CVE-2013-03
Red Hat
Django: Formset denial-of-service
vendor_redhat·2013-02-19·CVSS 5.0
CVE-2013-0306 [MEDIUM] Django: Formset denial-of-service
Django: Formset denial-of-service
The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter.
Package: Django (Red Hat Subscription Asset Manager) - Affected
Debian
CVE-2013-0306: python-django - The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 befor...
vendor_debian·2013·CVSS 5.0
CVE-2013-0306 [MEDIUM] CVE-2013-0306: python-django - The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 befor...
The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter.
Scope: local
bookworm: resolved (fixed in 1.4.4-1)
bullseye: resolved (fixed in 1.4.4-1)
forky: resolved (fixed in 1.4.4-1)
sid: resolved (fixed in 1.4.4-1)
trixie: resolved (fixed in 1.4.4-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-0306 Django: Formset denial-of-service
bugzilla·2013-02-20·CVSS 5.0
CVE-2013-0306 [MEDIUM] CVE-2013-0306 Django: Formset denial-of-service
CVE-2013-0306 Django: Formset denial-of-service
James Bennett of Django reports:
Django's form library includes tools for generating formsets -- multiple instances of a single form, to be submitted simultaneously (e.g., for mass editing/updating of similar objects). Formsets allow a parameter, max_num, specifying the maximum number of individual forms which may be displayed. A hidden input in the formset then specifies the number of forms being submitted.
Django accepts the submitted hidden value, and attempts to instantiate that many form objects. Sufficiently large values will result in extreme memory consumption; values exceeding sys.maxint will, in this case, result in an HTTP 500 response (due to an uncaught OverflowError from the over-large value). In the former case, the result i
Bugzilla
CVE-2013-0305 CVE-2013-0306 Django various flaws [epel-5]
bugzilla·2013-02-20·CVSS 4.0
CVE-2013-0305 [MEDIUM] CVE-2013-0305 CVE-2013-0306 Django various flaws [epel-5]
CVE-2013-0305 CVE-2013-0306 Django various flaws [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-5 tracking bug for Django: see blocks
Bugzilla
CVE-2013-0305 CVE-2013-0306 Django14 various flaws [epel-6]
bugzilla·2013-02-20·CVSS 4.0
CVE-2013-0305 [MEDIUM] CVE-2013-0305 CVE-2013-0306 Django14 various flaws [epel-6]
CVE-2013-0305 CVE-2013-0306 Django14 various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-6 tracking bug for Django14: see bl
Bugzilla
CVE-2013-0305 CVE-2013-0306 Django various flaws [fedora-17]
bugzilla·2013-02-20·CVSS 4.0
CVE-2013-0305 [MEDIUM] CVE-2013-0305 CVE-2013-0306 Django various flaws [fedora-17]
CVE-2013-0305 CVE-2013-0306 Django various flaws [fedora-17]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
fedora-17 tracking bug for Django: see block
Bugzilla
CVE-2013-0305 CVE-2013-0306 Django various flaws [epel-6]
bugzilla·2013-02-20·CVSS 4.0
CVE-2013-0305 [MEDIUM] CVE-2013-0305 CVE-2013-0306 Django various flaws [epel-6]
CVE-2013-0305 CVE-2013-0306 Django various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-6 tracking bug for Django: see blocks
http://rhn.redhat.com/errata/RHSA-2013-0670.htmlhttp://ubuntu.com/usn/usn-1757-1http://www.debian.org/security/2013/dsa-2634https://www.djangoproject.com/weblog/2013/feb/19/security/http://rhn.redhat.com/errata/RHSA-2013-0670.htmlhttp://ubuntu.com/usn/usn-1757-1http://www.debian.org/security/2013/dsa-2634https://www.djangoproject.com/weblog/2013/feb/19/security/
2013-05-02
Published