CVE-2024-41991
published 2024-08-07CVE-2024-41991: An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are…
PriorityP335high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.95%
56.9th percentile
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:3.2.25-0+deb12u1 (bookworm) | python-django 3:3.2.25-0+deb12u1 (bookworm) |
| djangoproject | django | >= 4.2 < 4.2.15 | 4.2.15 |
| djangoproject | django | >= 4.2 < 4.2.15 | 4.2.15 |
| djangoproject | django | >= 5.0 < 5.0.8 | 5.0.8 |
| djangoproject | django | >= 5.0 < 5.0.8 | 5.0.8 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
python-django: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget
vendor_redhat·2024-08-06·CVSS 7.5
CVE-2024-41991 [HIGH] CWE-400 python-django: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget
python-django: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
A flaw was found in Django. 'urlize', 'urlizetrunc', and 'AdminURLFieldWidget' may be subject to a denial of service attack via certain inputs with a very large number of Unicode characters.
Statement: The identified vulnerability in Django's urlize, urlizetrunc template filters, and the AdminURLFieldWidget widget is classified as moderate severity rather than important due to its specific attack vector and i
Ubuntu
Django vulnerabilities
vendor_ubuntu·2024-08-06·CVSS 7.5
CVE-2024-41990 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django incorrectly handled certain strings in
floatformat function. An attacker could possibly use this issue to
cause a memory exhaustion. (CVE-2024-41989)
It was discovered that Django incorrectly handled very large inputs.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-41990)
It was discovered that Django in AdminURLFieldWidget incorrectly
handled certain inputs with a very large number of Unicode characters.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-41991)
It was discovered that Django incorrectly handled certain JSON objects.
An attacker could possibly use this issue to cause a potential SQL
injectio
Debian
CVE-2024-41991: python-django - An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The ur...
vendor_debian·2024·CVSS 7.5
CVE-2024-41991 [HIGH] CVE-2024-41991: python-django - An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The ur...
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u11)
forky: resolved (fixed in 3:4.2.15-1)
sid: resolved (fixed in 3:4.2.15-1)
trixie: resolved (fixed in 3:4.2.15-1)
OSV
CVE-2024-41991: An issue was discovered in Django 5
osv·2024-08-07·CVSS 7.5
CVE-2024-41991 [HIGH] CVE-2024-41991: An issue was discovered in Django 5
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
GHSA
Django vulnerable to denial-of-service attack
ghsa·2024-08-07
CVE-2024-41991 [MEDIUM] CWE-1284 Django vulnerable to denial-of-service attack
Django vulnerable to denial-of-service attack
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
OSV
Django vulnerable to denial-of-service attack
osv·2024-08-07
CVE-2024-41991 [MEDIUM] Django vulnerable to denial-of-service attack
Django vulnerable to denial-of-service attack
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
OSV
python-django vulnerabilities
osv·2024-08-06·CVSS 7.5
CVE-2024-41989 [HIGH] python-django vulnerabilities
python-django vulnerabilities
It was discovered that Django incorrectly handled certain strings in
floatformat function. An attacker could possibly use this issue to
cause a memory exhaustion. (CVE-2024-41989)
It was discovered that Django incorrectly handled very large inputs.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-41990)
It was discovered that Django in AdminURLFieldWidget incorrectly
handled certain inputs with a very large number of Unicode characters.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-41991)
It was discovered that Django incorrectly handled certain JSON objects.
An attacker could possibly use this issue to cause a potential SQL
injection. This issue only affected Ubuntu 22.04 LTS, and Ubuntu
No detection rules found.
No public exploits indexed.
2024-08-07
Published