CVE-2022-41323
published 2022-10-16CVE-2022-41323: In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
2.72%
84.2th percentile
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:3.2.16-1 (bookworm) | python-django 3:3.2.16-1 (bookworm) |
| djangoproject | django | >= 3.2 < 3.2.16 | 3.2.16 |
| djangoproject | django | >= 3.2 < 3.2.16 | 3.2.16 |
| djangoproject | django | >= 4.0 < 4.0.8 | 4.0.8 |
| djangoproject | django | >= 4.0 < 4.0.8 | 4.0.8 |
| djangoproject | django | >= 4.1 < 4.1.2 | 4.1.2 |
| djangoproject | django | >= 4.1 < 4.1.2 | 4.1.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Django vulnerability
vendor_ubuntu·2022-10-04
CVE-2022-41323 Django vulnerability
Title: Django vulnerability
Summary: Django could be made to crash if it received specially crafted network
traffic.
Benjamin Balder Bach discovered that Django incorrectly handled certain
internationalized URLs. A remote attacker could possibly use this issue to
cause Django to crash, resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
python-django: Potential denial-of-service vulnerability in internationalized URLs
vendor_redhat·2022-10-04·CVSS 7.5
CVE-2022-41323 [HIGH] CWE-400 python-django: Potential denial-of-service vulnerability in internationalized URLs
python-django: Potential denial-of-service vulnerability in internationalized URLs
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
A denial of service flaw was discovered in Django. This issue occurs when incorrectly handling certain internationalized URLs. A malicious attacker could use this issue to cause a crash, resulting in a denial of service.
Package: python-django (Red Hat Ansible Automation Platform 2) - Affected
Package: python-django (Red Hat Ceph Storage 3) - Not affected
Package: python-django (Red Hat OpenStack Platform 13 (Queens)) - Not affected
Package: python-django20 (Red Hat OpenStack Platform 16.1) -
Debian
CVE-2022-41323: python-django - In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internation...
vendor_debian·2022·CVSS 7.5
CVE-2022-41323 [HIGH] CVE-2022-41323: python-django - In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internation...
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
Scope: local
bookworm: resolved (fixed in 3:3.2.16-1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u1)
forky: resolved (fixed in 3:3.2.16-1)
sid: resolved (fixed in 3:3.2.16-1)
trixie: resolved (fixed in 3:3.2.16-1)
GHSA
Django denial-of-service vulnerability in internationalized URLs
ghsa·2022-10-16
CVE-2022-41323 [HIGH] CWE-1333 Django denial-of-service vulnerability in internationalized URLs
Django denial-of-service vulnerability in internationalized URLs
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
OSV
CVE-2022-41323: In Django 3
osv·2022-10-16·CVSS 7.5
CVE-2022-41323 [HIGH] CVE-2022-41323: In Django 3
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
OSV
Django denial-of-service vulnerability in internationalized URLs
osv·2022-10-16
CVE-2022-41323 [HIGH] Django denial-of-service vulnerability in internationalized URLs
Django denial-of-service vulnerability in internationalized URLs
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://docs.djangoproject.com/en/4.0/releases/security/https://github.com/django/django/commit/5b6b257fa7ec37ff27965358800c67e2dd11c924https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/https://security.netapp.com/advisory/ntap-20221124-0001/https://www.djangoproject.com/weblog/2022/oct/04/security-releases/https://docs.djangoproject.com/en/4.0/releases/security/https://github.com/django/django/commit/5b6b257fa7ec37ff27965358800c67e2dd11c924https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/https://security.netapp.com/advisory/ntap-20221124-0001/https://www.djangoproject.com/weblog/2022/oct/04/security-releases/
2022-10-16
Published