CVE-2021-45115Uncontrolled Resource Consumption in Django

CWE-400Uncontrolled Resource Consumption9 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 37.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Djangoproject DjangoFedoraproject Fedora
Timeline
PublishedJan 5
Latest updateJan 12

Description

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDdjangoproject/django2.22.2.26+2
PyPIdjangoproject/django2.2a12.2.26+2

Also affects: Fedora 35

Patches

Patch: docs.djangoproject.comPatch: www.djangoproject.comPatch: docs.djangoproject.com

🔴Vulnerability Details

5
GHSA
Denial-of-service in Django2022-01-12
OSV
Denial-of-service in Django2022-01-12
OSV
CVE-2021-45115: An issue was discovered in Django 22022-01-05
OSV
python-django vulnerabilities2022-01-05
CVEList
CVE-2021-45115: An issue was discovered in Django 22022-01-04

📋Vendor Advisories

3
Ubuntu
Django vulnerabilities2022-01-05
Red Hat
django: Denial-of-service possibility in UserAttributeSimilarityValidator2022-01-04
Debian
CVE-2021-45115: python-django - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 ...2021
CVE-2021-45115 — Uncontrolled Resource Consumption | cvebase