CVE-2019-14235
published 2019-08-02CVE-2019-14235: An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs…
PriorityP338high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
3.07%
86.0th percentile
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 2:2.2.4-1 (bookworm) | python-django 2:2.2.4-1 (bookworm) |
| djangoproject | django | >= 1.11 < 1.11.23 | 1.11.23 |
| djangoproject | django | >= 1.11a1 < 1.11.23 | 1.11.23 |
| djangoproject | django | >= 2.1 < 2.1.11 | 2.1.11 |
| djangoproject | django | >= 2.1a1 < 2.1.11 | 2.1.11 |
| djangoproject | django | >= 2.2 < 2.2.4 | 2.2.4 |
| djangoproject | django | >= 2.2a1 < 2.2.4 | 2.2.4 |
| opensuse | leap | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri()
vendor_redhat·2019-08-01·CVSS 7.5
CVE-2019-14235 [HIGH] CWE-400 Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri()
Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri()
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.
Statement: This issue affects the versions of python-django as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and 3, as it contains the vulnerable code.
This issue affects Red Hat Update Infrastructure for Cloud Providers, but the vulnerable functions in python-django are currently not used in any part of the Product.
This issue does not affect Red Hat Satellite as the vulnerable functions in python-django are not used.
Red Hat Op
Ubuntu
Django vulnerabilities
vendor_ubuntu·2019-08-01·CVSS 7.5
CVE-2019-14232 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django incorrectly handled the Truncator function. A
remote attacker could possibly use this issue to cause Django to consume
resources, leading to a denial of service. (CVE-2019-14232)
It was discovered that Django incorrectly handled the strip_tags function.
A remote attacker could possibly use this issue to cause Django to consume
resources, leading to a denial of service. (CVE-2019-14233)
It was discovered that Django incorrectly handled certain lookups in the
PostgreSQL support. A remote attacker could possibly use this issue to
perform SQL injection attacks. (CVE-2019-14234)
It was discovered that Django incorrectly handled certain invalid UTF-8
octet sequences. A remote a
Debian
CVE-2019-14235: python-django - An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, an...
vendor_debian·2019·CVSS 7.5
CVE-2019-14235 [HIGH] CVE-2019-14235: python-django - An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, an...
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.
Scope: local
bookworm: resolved (fixed in 2:2.2.4-1)
bullseye: resolved (fixed in 2:2.2.4-1)
forky: resolved (fixed in 2:2.2.4-1)
sid: resolved (fixed in 2:2.2.4-1)
trixie: resolved (fixed in 2:2.2.4-1)
GHSA
Uncontrolled Recursion in Django
ghsa·2019-08-06
CVE-2019-14235 [HIGH] CWE-674 Uncontrolled Recursion in Django
Uncontrolled Recursion in Django
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.
OSV
Uncontrolled Recursion in Django
osv·2019-08-06
CVE-2019-14235 [HIGH] Uncontrolled Recursion in Django
Uncontrolled Recursion in Django
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.
OSV
CVE-2019-14235: An issue was discovered in Django 1
osv·2019-08-02·CVSS 7.5
CVE-2019-14235 [HIGH] CVE-2019-14235: An issue was discovered in Django 1
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.
OSV
python-django vulnerabilities
osv·2019-08-01·CVSS 7.5
CVE-2019-14232 [HIGH] python-django vulnerabilities
python-django vulnerabilities
It was discovered that Django incorrectly handled the Truncator function. A
remote attacker could possibly use this issue to cause Django to consume
resources, leading to a denial of service. (CVE-2019-14232)
It was discovered that Django incorrectly handled the strip_tags function.
A remote attacker could possibly use this issue to cause Django to consume
resources, leading to a denial of service. (CVE-2019-14233)
It was discovered that Django incorrectly handled certain lookups in the
PostgreSQL support. A remote attacker could possibly use this issue to
perform SQL injection attacks. (CVE-2019-14234)
It was discovered that Django incorrectly handled certain invalid UTF-8
octet sequences. A remote attacker could possibly use this issue to cause
Django to
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-14235 python-django: Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri() [epel-7]
bugzilla·2019-08-01·CVSS 7.5
CVE-2019-14235 [HIGH] CVE-2019-14235 python-django: Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri() [epel-7]
CVE-2019-14235 python-django: Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri() [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the
Bugzilla
CVE-2019-14235 python-django: Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri() [fedora-30]
bugzilla·2019-08-01·CVSS 7.5
CVE-2019-14235 [HIGH] CVE-2019-14235 python-django: Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri() [fedora-30]
CVE-2019-14235 python-django: Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri() [fedora-30]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-30.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Us
Bugzilla
CVE-2019-14235 python-django16: Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri() [epel-7]
bugzilla·2019-08-01·CVSS 7.5
CVE-2019-14235 [HIGH] CVE-2019-14235 python-django16: Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri() [epel-7]
CVE-2019-14235 python-django16: Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri() [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use th
Bugzilla
CVE-2019-14235 python-django: Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri() [fedora-29]
bugzilla·2019-08-01·CVSS 7.5
CVE-2019-14235 [HIGH] CVE-2019-14235 python-django: Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri() [fedora-29]
CVE-2019-14235 python-django: Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri() [fedora-29]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-29.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Us
Bugzilla
CVE-2019-14235 Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri()
bugzilla·2019-07-30·CVSS 7.5
CVE-2019-14235 [HIGH] CVE-2019-14235 Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri()
CVE-2019-14235 Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri()
If passed certain inputs, :func:django.utils.encoding.uri_to_iri could lead to significant memory usage due to excessive recursion when re-percent-encoding invalid UTF-8 octet sequences.
Discussion:
Created python-django tracking bugs for this issue:
Affects: epel-7 [bug 1735781]
Affects: fedora-29 [bug 1735783]
Affects: fedora-30 [bug 1735784]
Created python-django16 tracking bugs for this issue:
Affects: epel-7 [bug 1735782]
---
External References:
https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
---
Upstream Patches for master branch, 1.11, 2.1 and 2.2 releases:
https://github.com/django/django/commit/76ed1c49f804d409cfc2911a890c78584db3c76e
https://github.com/django
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.htmlhttps://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDshttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/https://seclists.org/bugtraq/2019/Aug/15https://security.gentoo.org/glsa/202004-17https://security.netapp.com/advisory/ntap-20190828-0002/https://www.debian.org/security/2019/dsa-4498https://www.djangoproject.com/weblog/2019/aug/01/security-releases/http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.htmlhttps://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDshttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/https://seclists.org/bugtraq/2019/Aug/15https://security.gentoo.org/glsa/202004-17https://security.netapp.com/advisory/ntap-20190828-0002/https://www.debian.org/security/2019/dsa-4498https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
2019-08-02
Published