CVE-2024-41990
published 2024-08-07CVE-2024-41990: An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential…
PriorityP336high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.26%
65.9th percentile
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:4.2.15-1 (forky) | python-django 3:4.2.15-1 (forky) |
| djangoproject | django | >= 4.2 < 4.2.15 | 4.2.15 |
| djangoproject | django | >= 4.2 < 4.2.15 | 4.2.15 |
| djangoproject | django | >= 5.0 < 5.0.8 | 5.0.8 |
| djangoproject | django | >= 5.0 < 5.0.8 | 5.0.8 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
cisa7.8HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Django vulnerable to a denial-of-service attack
ghsa·2024-08-07
CVE-2024-41990 [MEDIUM] CWE-130 Django vulnerable to a denial-of-service attack
Django vulnerable to a denial-of-service attack
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
OSV
Django vulnerable to a denial-of-service attack
osv·2024-08-07
CVE-2024-41990 [MEDIUM] Django vulnerable to a denial-of-service attack
Django vulnerable to a denial-of-service attack
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
OSV
CVE-2024-41990: An issue was discovered in Django 5
osv·2024-08-07·CVSS 7.5
CVE-2024-41990 [HIGH] CVE-2024-41990: An issue was discovered in Django 5
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
OSV
python-django vulnerabilities
osv·2024-08-06·CVSS 7.5
CVE-2024-41989 [HIGH] python-django vulnerabilities
python-django vulnerabilities
It was discovered that Django incorrectly handled certain strings in
floatformat function. An attacker could possibly use this issue to
cause a memory exhaustion. (CVE-2024-41989)
It was discovered that Django incorrectly handled very large inputs.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-41990)
It was discovered that Django in AdminURLFieldWidget incorrectly
handled certain inputs with a very large number of Unicode characters.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-41991)
It was discovered that Django incorrectly handled certain JSON objects.
An attacker could possibly use this issue to cause a potential SQL
injection. This issue only affected Ubuntu 22.04 LTS, and Ubuntu
Red Hat
python-django: Potential denial-of-service vulnerability in django.utils.html.urlize()
vendor_redhat·2024-08-06·CVSS 7.5
CVE-2024-41990 [HIGH] CWE-130 python-django: Potential denial-of-service vulnerability in django.utils.html.urlize()
python-django: Potential denial-of-service vulnerability in django.utils.html.urlize()
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
A flaw was found in Django. Processing very large inputs with a specific sequence of characters with the urlize and urlizetrunc functions can cause a denial of service.
Mitigation: Implementing input validation and limiting the the size of inputs to the urlize and urlizetrunc will mitigate this vulnerability.
Package: ansible-automation-platform-24/ee-dellemc-openmanage-rhel8 (Red Hat Ansible Automation Platform 2) - Not affected
Package: ansible-automation-platform-2
Ubuntu
Django vulnerabilities
vendor_ubuntu·2024-08-06·CVSS 7.5
CVE-2024-41990 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django incorrectly handled certain strings in
floatformat function. An attacker could possibly use this issue to
cause a memory exhaustion. (CVE-2024-41989)
It was discovered that Django incorrectly handled very large inputs.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-41990)
It was discovered that Django in AdminURLFieldWidget incorrectly
handled certain inputs with a very large number of Unicode characters.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-41991)
It was discovered that Django incorrectly handled certain JSON objects.
An attacker could possibly use this issue to cause a potential SQL
injectio
CISA
Apple Multiple Products Code Execution Vulnerability
cisa·2024-01-08·CVSS 7.8
CVE-2023-41990 [HIGH] Apple Multiple Products Code Execution Vulnerability
Vulnerability: Apple Multiple Products Code Execution Vulnerability
Affected: Apple Multiple Products
Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability that allows for code execution when processing a font file.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://support.apple.com/en-us/HT213599, https://support.apple.com/en-us/HT213601, https://support.apple.com/en-us/HT213605, https://support.apple.com/en-us/HT213606, https://support.apple.com/en-us/HT213842, https://support.apple.com/en-us/HT213844, https://support.apple.com/en-us/HT213845 ; https://nvd.nist.gov/vuln/detail/CVE-2023-41990
Remediation Due Date: 2024-01-29
Debian
CVE-2024-41990: python-django - An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The ur...
vendor_debian·2024·CVSS 7.5
CVE-2024-41990 [HIGH] CVE-2024-41990: python-django - An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The ur...
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 3:4.2.15-1)
sid: resolved (fixed in 3:4.2.15-1)
trixie: resolved (fixed in 3:4.2.15-1)
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize()
hackerone·2024-11-30·CVSS 7.5
CVE-2024-41990 [HIGH] CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize()
CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize()
I reported a slow pattern in urlize using repeated `.;` characters, which would become exponentially slower the larger the string.
If a user string from a POST request was read by the function, or stored into the database to be read later by urlize, that's where the biggest problems happened.
This is the PoC that I used:
```py
import django.utils.html
from time import time
print('=== django.utils.html.urlize(".;" * n) ===')
for i in range(0,1000000, 40000):
start = time()
PAYLOAD = ".;" * i
django.utils.html.urlize(PAYLOAD)
print(len(PAYLOAD), "\t", time() - start)
```
```
=== django.utils.html.urlize(".;" * n) ===
80000 0.517104148864746
160000 1.91546583175659
240000 4.26700210571289
320000 7.51475358009338
4000
Bugzilla
CVE-2024-41990 python-django: Potential denial-of-service vulnerability in django.utils.html.urlize()
bugzilla·2024-08-02·CVSS 7.5
CVE-2024-41990 [HIGH] CVE-2024-41990 python-django: Potential denial-of-service vulnerability in django.utils.html.urlize()
CVE-2024-41990 python-django: Potential denial-of-service vulnerability in django.utils.html.urlize()
Description: urlize and urlizetrunc were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
Affected versions
* Django main development branch
* Django 5.1 (currently at release candidate status)
* Django 5.0
* Django 4.2
Discussion:
This issue has been addressed in the following products:
Red Hat Ansible Automation Platform 2.4 for RHEL 9
Red Hat Ansible Automation Platform 2.4 for RHEL 8
Via RHSA-2024:6428 https://access.redhat.com/errata/RHSA-2024:6428
---
This issue has been addressed in the following products:
RHUI 4 for RHEL 8
Via RHSA-2025:1335 https://access.redhat.com/errata/RHSA-2025:1335
2024-08-07
Published