CVE-2024-41989
published 2024-08-07CVE-2024-41989: An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when…
PriorityP335high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.20%
64.3th percentile
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:3.2.25-0+deb12u1 (bookworm) | python-django 3:3.2.25-0+deb12u1 (bookworm) |
| djangoproject | django | >= 4.2 < 4.2.15 | 4.2.15 |
| djangoproject | django | >= 4.2 < 4.2.15 | 4.2.15 |
| djangoproject | django | >= 5.0 < 5.0.8 | 5.0.8 |
| djangoproject | django | >= 5.0 < 5.0.8 | 5.0.8 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
python-django: Memory exhaustion in django.utils.numberformat.floatformat()
vendor_redhat·2024-08-06·CVSS 7.5
CVE-2024-41989 [HIGH] CWE-400 python-django: Memory exhaustion in django.utils.numberformat.floatformat()
python-django: Memory exhaustion in django.utils.numberformat.floatformat()
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.
A security issue was found in Django. If 'floatformat' received a string representation of a number in scientific notation with a large exponent, it could lead to significant memory consumption. To avoid this, decimals with more than 200 digits are now returned as is.
Statement: This issue is categorized as moderate severity rather than important because, while it has the potential to cause significant memory consumption under specific conditions, the likelihood of such a
Ubuntu
Django vulnerabilities
vendor_ubuntu·2024-08-06·CVSS 7.5
CVE-2024-41990 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django incorrectly handled certain strings in
floatformat function. An attacker could possibly use this issue to
cause a memory exhaustion. (CVE-2024-41989)
It was discovered that Django incorrectly handled very large inputs.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-41990)
It was discovered that Django in AdminURLFieldWidget incorrectly
handled certain inputs with a very large number of Unicode characters.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-41991)
It was discovered that Django incorrectly handled certain JSON objects.
An attacker could possibly use this issue to cause a potential SQL
injectio
Debian
CVE-2024-41989: python-django - An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The fl...
vendor_debian·2024·CVSS 7.5
CVE-2024-41989 [HIGH] CVE-2024-41989: python-django - An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The fl...
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u11)
forky: resolved (fixed in 3:4.2.15-1)
sid: resolved (fixed in 3:4.2.15-1)
trixie: resolved (fixed in 3:4.2.15-1)
OSV
CVE-2024-41989: An issue was discovered in Django 5
osv·2024-08-07·CVSS 7.5
CVE-2024-41989 [HIGH] CVE-2024-41989: An issue was discovered in Django 5
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.
GHSA
Django memory consumption vulnerability
ghsa·2024-08-07
CVE-2024-41989 [MEDIUM] CWE-400 Django memory consumption vulnerability
Django memory consumption vulnerability
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.
OSV
Django memory consumption vulnerability
osv·2024-08-07
CVE-2024-41989 [MEDIUM] Django memory consumption vulnerability
Django memory consumption vulnerability
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.
OSV
python-django vulnerabilities
osv·2024-08-06·CVSS 7.5
CVE-2024-41989 [HIGH] python-django vulnerabilities
python-django vulnerabilities
It was discovered that Django incorrectly handled certain strings in
floatformat function. An attacker could possibly use this issue to
cause a memory exhaustion. (CVE-2024-41989)
It was discovered that Django incorrectly handled very large inputs.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-41990)
It was discovered that Django in AdminURLFieldWidget incorrectly
handled certain inputs with a very large number of Unicode characters.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-41991)
It was discovered that Django incorrectly handled certain JSON objects.
An attacker could possibly use this issue to cause a potential SQL
injection. This issue only affected Ubuntu 22.04 LTS, and Ubuntu
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2024-41989: Denial-Of-Service vulnerability in the floatformat template filter when input string contains a big exponent in scientific notation
hackerone·2024-09-22·CVSS 7.5
CVE-2024-41989 [HIGH] CVE-2024-41989: Denial-Of-Service vulnerability in the floatformat template filter when input string contains a big exponent in scientific notation
CVE-2024-41989: Denial-Of-Service vulnerability in the floatformat template filter when input string contains a big exponent in scientific notation
This vulnerability exists in the `floatformat` input filter when an attacker can pass a string with an `"e"` character in it to the input filter. This vulnerability takes advantage of the way strings with scientific exponents are converted internally to integers.
## Impact
An attacker can cause uncontrolled memory and resource consumption on a vulnerable django server.
(I have attached a screenrecording of the email conversation, the original email as an EML file, the original attachment as a zip file, a screenrecording of the entire email convo, the entire convo as a pdf file and a screenshot from the email convo. My personal email addres
Bugzilla
CVE-2024-41989 python-django: Memory exhaustion in django.utils.numberformat.floatformat()
bugzilla·2024-08-02·CVSS 7.5
CVE-2024-41989 [HIGH] CVE-2024-41989 python-django: Memory exhaustion in django.utils.numberformat.floatformat()
CVE-2024-41989 python-django: Memory exhaustion in django.utils.numberformat.floatformat()
Description: If floatformat received a string representation of a number in scientific
notation with a large exponent, it could lead to significant memory consumption.
To avoid this, decimals with more than 200 digits are now returned as is.
Affected versions
* Django main development branch
* Django 5.1 (currently at release candidate status)
* Django 5.0
* Django 4.2
Discussion:
This issue has been addressed in the following products:
Red Hat Ansible Automation Platform 2.4 for RHEL 9
Red Hat Ansible Automation Platform 2.4 for RHEL 8
Via RHSA-2024:6428 https://access.redhat.com/errata/RHSA-2024:6428
---
This issue has been addressed in the following products:
Red Hat Ansible Automation
2024-08-07
Published