CVE-2024-38875
published 2024-07-10CVE-2024-38875: An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via…
PriorityP335high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.19%
64.0th percentile
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:4.2.14-1 (forky) | python-django 3:4.2.14-1 (forky) |
| djangoproject | django | >= 4.2 < 4.2.14 | 4.2.14 |
| djangoproject | django | >= 4.2 < 4.2.14 | 4.2.14 |
| djangoproject | django | >= 5.0 < 5.0.7 | 5.0.7 |
| djangoproject | django | >= 5.0 < 5.0.7 | 5.0.7 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
python-django vulnerabilities
osv·2024-07-11·CVSS 7.5
CVE-2024-38875 [HIGH] python-django vulnerabilities
python-django vulnerabilities
USN-6888-1 fixed several vulnerabilities in Django. This update provides
the corresponding update for Ubuntu 18.04 LTS.
Original advisory details:
Elias Myllymäki discovered that Django incorrectly handled certain inputs
with a large number of brackets. A remote attacker could possibly use this
issue to cause Django to consume resources or stop responding, resulting in
a denial of service. (CVE-2024-38875)
It was discovered that Django incorrectly handled authenticating users with
unusable passwords. A remote attacker could possibly use this issue to
perform a timing attack and enumerate users. (CVE-2024-39329)
Josh Schneier discovered that Django incorrectly handled file path
validation when the storage class is being derived. A remote attacker could
pos
GHSA
Django vulnerable to Denial of Service
ghsa·2024-07-10
CVE-2024-38875 [HIGH] CWE-130 Django vulnerable to Denial of Service
Django vulnerable to Denial of Service
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
OSV
CVE-2024-38875: An issue was discovered in Django 4
osv·2024-07-10·CVSS 7.5
CVE-2024-38875 [HIGH] CVE-2024-38875: An issue was discovered in Django 4
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
OSV
Django vulnerable to Denial of Service
osv·2024-07-10
CVE-2024-38875 [HIGH] Django vulnerable to Denial of Service
Django vulnerable to Denial of Service
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
OSV
python-django vulnerabilities
osv·2024-07-09·CVSS 7.5
CVE-2024-38875 [HIGH] python-django vulnerabilities
python-django vulnerabilities
Elias Myllymäki discovered that Django incorrectly handled certain inputs
with a large number of brackets. A remote attacker could possibly use this
issue to cause Django to consume resources or stop responding, resulting in
a denial of service. (CVE-2024-38875)
It was discovered that Django incorrectly handled authenticating users with
unusable passwords. A remote attacker could possibly use this issue to
perform a timing attack and enumerate users. (CVE-2024-39329)
Josh Schneier discovered that Django incorrectly handled file path
validation when the storage class is being derived. A remote attacker could
possibly use this issue to save files into arbitrary directories.
(CVE-2024-39330)
It was discovered that Django incorrectly handled certain long strin
Red Hat
python-django: Potential denial-of-service in django.utils.html.urlize()
vendor_redhat·2024-07-26·CVSS 7.5
CVE-2024-38875 [HIGH] CWE-1287 python-django: Potential denial-of-service in django.utils.html.urlize()
python-django: Potential denial-of-service in django.utils.html.urlize()
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
A vulnerability was found in the Django framework's urlize and urlizetrunc functions, where an attacker can input a certain string containing a large number of brackets, leads to a potential denial of service when the application attempts to process the excessive input.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2024-07-11·CVSS 7.5
CVE-2024-39330 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
USN-6888-1 fixed several vulnerabilities in Django. This update provides
the corresponding update for Ubuntu 18.04 LTS.
Original advisory details:
Elias Myllymäki discovered that Django incorrectly handled certain inputs
with a large number of brackets. A remote attacker could possibly use this
issue to cause Django to consume resources or stop responding, resulting in
a denial of service. (CVE-2024-38875)
It was discovered that Django incorrectly handled authenticating users with
unusable passwords. A remote attacker could possibly use this issue to
perform a timing attack and enumerate users. (CVE-2024-39329)
Josh Schneier discovered that Django incorrectly handled file path
validation when the sto
Ubuntu
Django vulnerabilities
vendor_ubuntu·2024-07-09·CVSS 7.5
CVE-2024-39330 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
Elias Myllymäki discovered that Django incorrectly handled certain inputs
with a large number of brackets. A remote attacker could possibly use this
issue to cause Django to consume resources or stop responding, resulting in
a denial of service. (CVE-2024-38875)
It was discovered that Django incorrectly handled authenticating users with
unusable passwords. A remote attacker could possibly use this issue to
perform a timing attack and enumerate users. (CVE-2024-39329)
Josh Schneier discovered that Django incorrectly handled file path
validation when the storage class is being derived. A remote attacker could
possibly use this issue to save files into arbitrary directories.
(CVE-2024-39330)
It was disco
Debian
CVE-2024-38875: python-django - An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize...
vendor_debian·2024·CVSS 7.5
CVE-2024-38875 [HIGH] CVE-2024-38875: python-django - An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize...
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 3:4.2.14-1)
sid: resolved (fixed in 3:4.2.14-1)
trixie: resolved (fixed in 3:4.2.14-1)
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2024-38875: Denial-Of-Service through uncontrolled resource consumption caused by poor time complexity of strip_punctuation .
hackerone·2024-08-23·CVSS 7.5
CVE-2024-38875 [HIGH] CVE-2024-38875: Denial-Of-Service through uncontrolled resource consumption caused by poor time complexity of strip_punctuation .
CVE-2024-38875: Denial-Of-Service through uncontrolled resource consumption caused by poor time complexity of strip_punctuation .
CVE-2024-38875 is a vulnerability where an attacker can cause uncontrolled resource consumption by passing an input with a lot of opening braces and closing braces to `strip_punctuation`. The function is used by the `urlize` and `urlizetrunc` filters.
Here is the vulnerable function:
```
# SNIP
def trim_punctuation(self, word):
"""
Trim trailing and wrapping punctuation from `word`. Return the items of
the new state.
"""
lead, middle, trail = "", word, ""
# Continue trimming until middle remains unchanged.
trimmed_something = True
while trimmed_something: # <--------- This loop has O(n^2) worst case time complexity
trimmed_something = False
# Trim wrapping pun
Bugzilla
CVE-2024-38875 python-django: Potential denial-of-service in django.utils.html.urlize()
bugzilla·2024-07-05·CVSS 7.5
CVE-2024-38875 [HIGH] CVE-2024-38875 python-django: Potential denial-of-service in django.utils.html.urlize()
CVE-2024-38875 python-django: Potential denial-of-service in django.utils.html.urlize()
django.utils.html.urlize() was subject to a potential denial-of-service attack via certain inputs with a very large number of brackets.
Affected versions
* Django main development branch
* Django 5.1
* Django 5.0
* Django 4.2
Discussion:
This issue has been addressed in the following products:
Red Hat Ansible Automation Platform 2.4 for RHEL 9
Red Hat Ansible Automation Platform 2.4 for RHEL 8
Via RHSA-2024:6428 https://access.redhat.com/errata/RHSA-2024:6428
---
This issue has been addressed in the following products:
Red Hat Satellite 6.16 for RHEL 8
Red Hat Satellite 6.16 for RHEL 9
Via RHSA-2024:8906 https://access.redhat.com/errata/RHSA-2024:8906
---
This issue has been addressed in th
https://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://www.djangoproject.com/weblog/2024/jul/09/security-releases/https://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://security.netapp.com/advisory/ntap-20240808-0005/https://www.djangoproject.com/weblog/2024/jul/09/security-releases/
2024-07-10
Published