GHSA-5hgc-2vfp-mqvc

Suggest an improvement
Source
https://github.com/advisories/GHSA-5hgc-2vfp-mqvc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-5hgc-2vfp-mqvc/GHSA-5hgc-2vfp-mqvc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5hgc-2vfp-mqvc
Aliases
Published
2024-10-08T18:33:13Z
Modified
2024-10-30T19:23:43.662562Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Django vulnerable to denial-of-service attack via the urlize() and urlizetrunc() template filters
Details

An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

Database specific
{
    "nvd_published_at": "2024-10-08T16:15:11Z",
    "cwe_ids": [
        "CWE-120",
        "CWE-400"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-08T21:04:45Z"
}
References

Affected packages

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.1
Fixed
5.1.1

Affected versions

5.*

5.1

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0
Fixed
5.0.9

Affected versions

5.*

5.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2
Fixed
4.2.16

Affected versions

4.*

4.2
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.2.9
4.2.10
4.2.11
4.2.12
4.2.13
4.2.14
4.2.15