CVE-2015-0221
published 2015-01-16CVE-2015-0221: The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows…
PriorityP423medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
4.33%
90.0th percentile
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | python-django | < python-django 1.7.1-1.1 (bookworm) | python-django 1.7.1-1.1 (bookworm) |
| djangoproject | django | <= 1.4.17 | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 0 < 1.4.18 | 1.4.18 |
| djangoproject | django | >= 1.6 < 1.6.10 | 1.6.10 |
| djangoproject | django | >= 1.7 < 1.7.3 | 1.7.3 |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Django regression
vendor_ubuntu·2015-02-04·CVSS 5.0
CVE-2015-0221 [MEDIUM] Django regression
Title: Django regression
Summary: USN-2469-1 caused a regression in Django.
USN-2469-1 fixed vulnerabilities in Django. The security fix for
CVE-2015-0221 introduced a regression on Ubuntu 10.04 LTS and Ubuntu 12.04
LTS when serving static content through GZipMiddleware. This update fixes
the problem.
We apologize for the inconvenience.
Original advisory details:
Jedediah Smith discovered that Django incorrectly handled underscores in
WSGI headers. A remote attacker could possibly use this issue to spoof
headers in certain environments. (CVE-2015-0219)
Mikko Ohtamaa discovered that Django incorrectly handled user-supplied
redirect URLs. A remote attacker could possibly use this issue to perform a
cross-site scripting attack. (CVE-2015-0220)
Alex Gaynor discovered that Django incorre
Red Hat
Django: denial of service attack against django.views.static.serve
vendor_redhat·2015-01-13·CVSS 5.0
CVE-2015-0221 [MEDIUM] CWE-770 Django: denial of service attack against django.views.static.serve
Django: denial of service attack against django.views.static.serve
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Not affected
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 6 (Juno)) - Not affected
Package: Django14 (Red Hat OpenStack Platform 4) - Not affected
Package: Django (Red Hat Subscription Asset Manager) - Not affected
Ubuntu
Django vulnerabilities
vendor_ubuntu·2015-01-13·CVSS 5.0
CVE-2015-0219 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
Jedediah Smith discovered that Django incorrectly handled underscores in
WSGI headers. A remote attacker could possibly use this issue to spoof
headers in certain environments. (CVE-2015-0219)
Mikko Ohtamaa discovered that Django incorrectly handled user-supplied
redirect URLs. A remote attacker could possibly use this issue to perform a
cross-site scripting attack. (CVE-2015-0220)
Alex Gaynor discovered that Django incorrectly handled reading files in
django.views.static.serve(). A remote attacker could possibly use this
issue to cause Django to consume resources, resulting in a denial of
service. (CVE-2015-0221)
Keryn Knight discovered that Django incorrectly handled forms with
ModelMultipleChoiceFi
Debian
CVE-2015-0221: python-django - The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10,...
vendor_debian·2015·CVSS 5.0
CVE-2015-0221 [MEDIUM] CVE-2015-0221: python-django - The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10,...
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
Scope: local
bookworm: resolved (fixed in 1.7.1-1.1)
bullseye: resolved (fixed in 1.7.1-1.1)
forky: resolved (fixed in 1.7.1-1.1)
sid: resolved (fixed in 1.7.1-1.1)
trixie: resolved (fixed in 1.7.1-1.1)
GHSA
Django DoS in django.views.static.serve
ghsa·2022-05-17
CVE-2015-0221 [HIGH] CWE-400 Django DoS in django.views.static.serve
Django DoS in django.views.static.serve
The `django.views.static.serve` view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
OSV
Django DoS in django.views.static.serve
osv·2022-05-17
CVE-2015-0221 [HIGH] Django DoS in django.views.static.serve
Django DoS in django.views.static.serve
The `django.views.static.serve` view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
OSV
CVE-2015-0221: The django
osv·2015-01-16·CVSS 5.0
CVE-2015-0221 [MEDIUM] CVE-2015-0221: The django
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
OSV
python-django vulnerabilities
osv·2015-01-13·CVSS 5.0
CVE-2015-0219 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
Jedediah Smith discovered that Django incorrectly handled underscores in
WSGI headers. A remote attacker could possibly use this issue to spoof
headers in certain environments. (CVE-2015-0219)
Mikko Ohtamaa discovered that Django incorrectly handled user-supplied
redirect URLs. A remote attacker could possibly use this issue to perform a
cross-site scripting attack. (CVE-2015-0220)
Alex Gaynor discovered that Django incorrectly handled reading files in
django.views.static.serve(). A remote attacker could possibly use this
issue to cause Django to consume resources, resulting in a denial of
service. (CVE-2015-0221)
Keryn Knight discovered that Django incorrectly handled forms with
ModelMultipleChoiceField. A remote attacker could possibly use this issue
to
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-0221 Django14: Django: denial of service attack against django.views.static.serve [epel-6]
bugzilla·2015-01-14·CVSS 5.0
CVE-2015-0221 [MEDIUM] CVE-2015-0221 Django14: Django: denial of service attack against django.views.static.serve [epel-6]
CVE-2015-0221 Django14: Django: denial of service attack against django.views.static.serve [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking bug for Djang
Bugzilla
CVE-2015-0221 python-django14: Django: denial of service attack against django.views.static.serve [fedora-20]
bugzilla·2015-01-14·CVSS 5.0
CVE-2015-0221 [MEDIUM] CVE-2015-0221 python-django14: Django: denial of service attack against django.views.static.serve [fedora-20]
CVE-2015-0221 python-django14: Django: denial of service attack against django.views.static.serve [fedora-20]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
fedora-20 tracking bug f
Bugzilla
CVE-2015-0221 python-django: Django: denial of service attack against django.views.static.serve [fedora-all]
bugzilla·2015-01-14·CVSS 5.0
CVE-2015-0221 [MEDIUM] CVE-2015-0221 python-django: Django: denial of service attack against django.views.static.serve [fedora-all]
CVE-2015-0221 python-django: Django: denial of service attack against django.views.static.serve [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
Bugzilla
CVE-2015-0221 python-django: Django: denial of service attack against django.views.static.serve [epel-7]
bugzilla·2015-01-14·CVSS 5.0
CVE-2015-0221 [MEDIUM] CVE-2015-0221 python-django: Django: denial of service attack against django.views.static.serve [epel-7]
CVE-2015-0221 python-django: Django: denial of service attack against django.views.static.serve [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 tracking bug for
Bugzilla
CVE-2015-0221 Django: denial of service attack against django.views.static.serve
bugzilla·2015-01-07·CVSS 5.0
CVE-2015-0221 [MEDIUM] CVE-2015-0221 Django: denial of service attack against django.views.static.serve
CVE-2015-0221 Django: denial of service attack against django.views.static.serve
The Django project reports the following issue:
"""
In older versions of Django, the ``django.views.static.serve()`` view read the files it served one line at a time. Therefore, a big file with no newlines would result in memory usage equal to the size of that file. An attacker could exploit this and launch a denial-of-service attack by simultaneously requesting many large files. This view now reads the file in chunks to prevent large memory usage.
Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid. Now may be a good time to audit your project and serve your files in production using a real front-end web server i
arXiv
An Empirical Analysis of Vulnerabilities in Python Packages for Web Applications
arxiv_fulltext·2018-11-16
An Empirical Analysis of Vulnerabilities in Python Packages for Web Applications
An Empirical Analysis of Vulnerabilities
in Python Packages for Web Applications
Jukka Ruohonen
University of Turku, Finland
Email: [email protected]
## Abstract
This paper examines software vulnerabilities in common Python packages used particularly for web development. The empirical dataset is based on the PyPI package repository and the so-called Safety DB used to track vulnerabilities in selected packages within the repository. The methodological approach builds on a release-based time series analysis of the conditional probabilities for the releases of the packages to be vulnerable. According to the results, many of the Python vulnerabilities observed seem to be only modestly severe; input validation and cross-site scripting have been the most typical vulnerabilities. In terms of the
http://advisories.mageia.org/MGASA-2015-0026.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-January/148696.htmlhttp://lists.opensuse.org/opensuse-updates/2015-04/msg00001.htmlhttp://lists.opensuse.org/opensuse-updates/2015-09/msg00035.htmlhttp://secunia.com/advisories/62285http://secunia.com/advisories/62309http://secunia.com/advisories/62718http://ubuntu.com/usn/usn-2469-1http://www.mandriva.com/security/advisories?name=MDVSA-2015:036http://www.mandriva.com/security/advisories?name=MDVSA-2015:109https://www.djangoproject.com/weblog/2015/jan/13/security/http://advisories.mageia.org/MGASA-2015-0026.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-January/148696.htmlhttp://lists.opensuse.org/opensuse-updates/2015-04/msg00001.htmlhttp://lists.opensuse.org/opensuse-updates/2015-09/msg00035.htmlhttp://secunia.com/advisories/62285http://secunia.com/advisories/62309http://secunia.com/advisories/62718http://ubuntu.com/usn/usn-2469-1http://www.mandriva.com/security/advisories?name=MDVSA-2015:036http://www.mandriva.com/security/advisories?name=MDVSA-2015:109https://www.djangoproject.com/weblog/2015/jan/13/security/
2015-01-16
Published