CVE-2024-38875 — Improper Handling of Length Parameter Inconsistency in Django

CWE-130 — Improper Handling of Length Parameter Inconsistency CWE-770 — Allocation of Resources Without Limits or Throttling CWE-1287 — Improper Validation of Specified Type of Input12 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 44.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedJul 10

Latest updateAug 23

Description

An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDdjangoproject/django4.2 — 4.2.14+1

▶PyPIdjangoproject/django4.2 — 4.2.14+1

🔴Vulnerability Details

OSV

python-django vulnerabilities↗2024-07-11

▶

GHSA

Django vulnerable to Denial of Service↗2024-07-10

▶

OSV

CVE-2024-38875: An issue was discovered in Django 4↗2024-07-10

▶

CVEList

CVE-2024-38875: An issue was discovered in Django 4↗2024-07-10

▶

OSV

Django vulnerable to Denial of Service↗2024-07-10

▶

📋Vendor Advisories

Red Hat

python-django: Potential denial-of-service in django.utils.html.urlize()↗2024-07-26

▶

Ubuntu

Django vulnerabilities↗2024-07-11

▶

Ubuntu

Django vulnerabilities↗2024-07-09

▶

Debian

CVE-2024-38875: python-django - An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize...↗2024

▶

💬Community

HackerOne

CVE-2024-38875: Denial-Of-Service through uncontrolled resource consumption caused by poor time complexity of strip_punctuation .↗2024-08-23

▶