CVE-2022-41323 — Regex Denial of Service in Django

CWE-1333 — Regex Denial of Service CWE-400 — Uncontrolled Resource Consumption8 documents7 sources

Severity

7.5HIGHNVD

EPSS

7.9%

top 7.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedOct 16

Description

In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDdjangoproject/django3.2 — 3.2.16+2

▶PyPIdjangoproject/django3.2 — 3.2.16+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Django denial-of-service vulnerability in internationalized URLs↗2022-10-16

▶

OSV

CVE-2022-41323: In Django 3↗2022-10-16

▶

OSV

Django denial-of-service vulnerability in internationalized URLs↗2022-10-16

▶

CVEList

CVE-2022-41323: In Django 3↗2022-10-16

▶

📋Vendor Advisories

Ubuntu

Django vulnerability↗2022-10-04

▶

Red Hat

python-django: Potential denial-of-service vulnerability in internationalized URLs↗2022-10-04

▶

Debian

CVE-2022-41323: python-django - In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internation...↗2022

▶