CVE-2015-5145
published 2015-07-14CVE-2015-5145: validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
PriorityP433high7.8CVSS 2.0
AVNACLAuNCNINAC
EPSS
2.97%
85.6th percentile
validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 1.8 < 1.8.3 | 1.8.3 |
| djangoproject | django | >= 1.8a1 < 1.8.3 | 1.8.3 |
CVSS provenance
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
vendor_debian7.8LOW
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Django ReDoS in validators.URLValidator
osv·2022-05-17
CVE-2015-5145 [HIGH] Django ReDoS in validators.URLValidator
Django ReDoS in validators.URLValidator
`validators.URLValidator` in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
GHSA
Django ReDoS in validators.URLValidator
ghsa·2022-05-17
CVE-2015-5145 [HIGH] CWE-1333 Django ReDoS in validators.URLValidator
Django ReDoS in validators.URLValidator
`validators.URLValidator` in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
OSV
CVE-2015-5145: validators
osv·2015-07-14
CVE-2015-5145 CVE-2015-5145: validators
validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
Red Hat
Django: DoS via incorrect URL validation
vendor_redhat·2015-07-08·CVSS 7.8
CVE-2015-5145 [HIGH] CWE-185 Django: DoS via incorrect URL validation
Django: DoS via incorrect URL validation
validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Not affected
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 6 (Juno)) - Not affected
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)) - Not affected
Package: Django (Red Hat Subscription Asset Manager) - Not affected
Debian
CVE-2015-5145: python-django - validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to ...
vendor_debian·2015·CVSS 7.8
CVE-2015-5145 [HIGH] CVE-2015-5145: python-django - validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to ...
validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2009-5145 zope: Cross-site scripting (XSS) in ZMI pages through manage_tabs_message()
bugzilla·2017-08-21·CVSS 6.1
CVE-2009-5145 [MEDIUM] CVE-2009-5145 zope: Cross-site scripting (XSS) in ZMI pages through manage_tabs_message()
CVE-2009-5145 zope: Cross-site scripting (XSS) in ZMI pages through manage_tabs_message()
Cross-site scripting (XSS) vulnerability in ZMI pages that use the manage_tabs_message in Zope 2.11.4, 2.11.2, 2.10.9, 2.10.7, 2.10.6, 2.10.5, 2.10.4, 2.10.2, 2.10.1, 2.12.
Upstream patch:
https://github.com/zopefoundation/Zope/commit/2abdf14620f146857dc8e3ffd2b6a754884c331d
References:
http://www.openwall.com/lists/oss-security/2015/03/02/7
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5145
Bugzilla
CVE-2015-5145 Django: DoS via incorrect URL validation
bugzilla·2015-07-07·CVSS 7.8
CVE-2015-5145 [HIGH] CVE-2015-5145 Django: DoS via incorrect URL validation
CVE-2015-5145 Django: DoS via incorrect URL validation
The following flaw was found in Django:
'django.core.validators.URLValidator' included a regular expression that was extremely slow to evaluate against certain invalid inputs. This regular expression has been simplified and optimized.
This flaw has been fixed in Django version 1.8.3.
Acknowledgements:
Red Hat would like to thank the upstream Django project for reporting this issue.
Discussion:
Created attachment 1049118
urlvalidator-1.8.x.diff
---
Created attachment 1049119
urlvalidator-master.diff
---
Created attachment 1049882
urlvalidator-1.8.x.diff
---
Created attachment 1049883
urlvalidator-master.diff
---
This is now public: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/
---
python-django-1.8
http://www.securityfocus.com/bid/75691http://www.securitytracker.com/id/1032820https://security.gentoo.org/glsa/201510-06https://www.djangoproject.com/weblog/2015/jul/08/security-releases/http://www.securityfocus.com/bid/75691http://www.securitytracker.com/id/1032820https://security.gentoo.org/glsa/201510-06https://www.djangoproject.com/weblog/2015/jul/08/security-releases/
2015-07-14
Published