CVE-2020-15225Incorrect Conversion between Numeric Types in Django-filter

CWE-681Incorrect Conversion between Numeric Types7 documents6 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 53.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Carltongibson Django-filterDjango-filter Project Django-filterDebian Django-filter+1 more
Timeline
PublishedApr 29

Description

django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter before version 2.4.0, automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. In addition, `NumberFilt

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

debiandebian/django-filter< django-filter 2.4.0-1 (bookworm)
CVEListV5carltongibson/django-filter< 2.4.0

Also affects: Fedora 34, 35

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
CVE-2020-15225: django-filter is a generic system for filtering Django QuerySets based on user selections2021-04-29
GHSA
Potential DoS with NumberFilter conversion to integer values.2020-09-28
OSV
Potential DoS with NumberFilter conversion to integer values.2020-09-28

📋Vendor Advisories

2
Red Hat
python-django-filter: Maliciously input using exponential format may cause denial of service2021-04-29
Debian
CVE-2020-15225: django-filter - django-filter is a generic system for filtering Django QuerySets based on user s...2020

💬Community

1
Bugzilla
CVE-2019-15225 envoy: crafted request with long URI allows remote attacker to cause denial of service2019-10-25
CVE-2020-15225 — Django-filter vulnerability | cvebase