CVE-2024-39614
published 2024-07-10CVE-2024-39614: An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack…
PriorityP349high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
28.64%
97.9th percentile
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:3.2.25-0+deb12u1 (bookworm) | python-django 3:3.2.25-0+deb12u1 (bookworm) |
| djangoproject | django | >= 4.2 < 4.2.14 | 4.2.14 |
| djangoproject | django | >= 4.2 < 4.2.14 | 4.2.14 |
| djangoproject | django | >= 5.0 < 5.0.7 | 5.0.7 |
| djangoproject | django | >= 5.0 < 5.0.7 | 5.0.7 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
python-django vulnerabilities
osv·2024-07-11·CVSS 7.5
CVE-2024-38875 [HIGH] python-django vulnerabilities
python-django vulnerabilities
USN-6888-1 fixed several vulnerabilities in Django. This update provides
the corresponding update for Ubuntu 18.04 LTS.
Original advisory details:
Elias Myllymäki discovered that Django incorrectly handled certain inputs
with a large number of brackets. A remote attacker could possibly use this
issue to cause Django to consume resources or stop responding, resulting in
a denial of service. (CVE-2024-38875)
It was discovered that Django incorrectly handled authenticating users with
unusable passwords. A remote attacker could possibly use this issue to
perform a timing attack and enumerate users. (CVE-2024-39329)
Josh Schneier discovered that Django incorrectly handled file path
validation when the storage class is being derived. A remote attacker could
pos
OSV
Django vulnerable to Denial of Service
osv·2024-07-10
CVE-2024-39614 [HIGH] Django vulnerable to Denial of Service
Django vulnerable to Denial of Service
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. `get_supported_language_variant()` was subject to a potential denial-of-service attack when used with very long strings containing specific characters.
OSV
CVE-2024-39614: An issue was discovered in Django 5
osv·2024-07-10·CVSS 7.5
CVE-2024-39614 [HIGH] CVE-2024-39614: An issue was discovered in Django 5
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.
GHSA
Django vulnerable to Denial of Service
ghsa·2024-07-10
CVE-2024-39614 [HIGH] CWE-130 Django vulnerable to Denial of Service
Django vulnerable to Denial of Service
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. `get_supported_language_variant()` was subject to a potential denial-of-service attack when used with very long strings containing specific characters.
OSV
python-django vulnerabilities
osv·2024-07-09·CVSS 7.5
CVE-2024-38875 [HIGH] python-django vulnerabilities
python-django vulnerabilities
Elias Myllymäki discovered that Django incorrectly handled certain inputs
with a large number of brackets. A remote attacker could possibly use this
issue to cause Django to consume resources or stop responding, resulting in
a denial of service. (CVE-2024-38875)
It was discovered that Django incorrectly handled authenticating users with
unusable passwords. A remote attacker could possibly use this issue to
perform a timing attack and enumerate users. (CVE-2024-39329)
Josh Schneier discovered that Django incorrectly handled file path
validation when the storage class is being derived. A remote attacker could
possibly use this issue to save files into arbitrary directories.
(CVE-2024-39330)
It was discovered that Django incorrectly handled certain long strin
Ubuntu
Django vulnerabilities
vendor_ubuntu·2024-07-11·CVSS 7.5
CVE-2024-39330 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
USN-6888-1 fixed several vulnerabilities in Django. This update provides
the corresponding update for Ubuntu 18.04 LTS.
Original advisory details:
Elias Myllymäki discovered that Django incorrectly handled certain inputs
with a large number of brackets. A remote attacker could possibly use this
issue to cause Django to consume resources or stop responding, resulting in
a denial of service. (CVE-2024-38875)
It was discovered that Django incorrectly handled authenticating users with
unusable passwords. A remote attacker could possibly use this issue to
perform a timing attack and enumerate users. (CVE-2024-39329)
Josh Schneier discovered that Django incorrectly handled file path
validation when the sto
Ubuntu
Django vulnerabilities
vendor_ubuntu·2024-07-09·CVSS 7.5
CVE-2024-39330 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
Elias Myllymäki discovered that Django incorrectly handled certain inputs
with a large number of brackets. A remote attacker could possibly use this
issue to cause Django to consume resources or stop responding, resulting in
a denial of service. (CVE-2024-38875)
It was discovered that Django incorrectly handled authenticating users with
unusable passwords. A remote attacker could possibly use this issue to
perform a timing attack and enumerate users. (CVE-2024-39329)
Josh Schneier discovered that Django incorrectly handled file path
validation when the storage class is being derived. A remote attacker could
possibly use this issue to save files into arbitrary directories.
(CVE-2024-39330)
It was disco
Red Hat
python-django: Potential denial-of-service in django.utils.translation.get_supported_language_variant()
vendor_redhat·2024-07-09·CVSS 7.5
CVE-2024-39614 [HIGH] CWE-1287 python-django: Potential denial-of-service in django.utils.translation.get_supported_language_variant()
python-django: Potential denial-of-service in django.utils.translation.get_supported_language_variant()
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.
A vulnerability was found in Python-Django in the get_supported_language_variant() function. The issue triggers when parsed with very long strings, including a specific set of characters, leading to a potential denial of service attack.
Package: ansible-tower (Red Hat Ansible Automation Platform 1.2) - Will not fix
Package: python-django (Red Hat Certification for Red Hat Enterprise Linux 7) - Will not fix
Package: redhat-certification (Red Hat Certification for
Debian
CVE-2024-39614: python-django - An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_su...
vendor_debian·2024·CVSS 7.5
CVE-2024-39614 [HIGH] CVE-2024-39614: python-django - An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_su...
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u11)
forky: resolved (fixed in 3:4.2.14-1)
sid: resolved (fixed in 3:4.2.14-1)
trixie: resolved (fixed in 3:4.2.14-1)
No detection rules found.
No public exploits indexed.
https://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://www.djangoproject.com/weblog/2024/jul/09/security-releases/https://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://security.netapp.com/advisory/ntap-20240808-0005/https://www.djangoproject.com/weblog/2024/jul/09/security-releases/
2024-07-10
Published