GHSA-x7gm-rfgv-w973
Suggest an improvement- Source
- https://github.com/advisories/GHSA-x7gm-rfgv-w973
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-x7gm-rfgv-w973/GHSA-x7gm-rfgv-w973.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-x7gm-rfgv-w973
- Aliases
- Related
- Published
- 2020-09-28T19:05:29Z
- Modified
- 2024-09-16T22:22:30.086591Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Potential DoS with NumberFilter conversion to integer values.
- Details
-
Impact
Automatically generated
NumberFilterinstances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents.Patches
Version 2.4.0+ applies a
MaxValueValidatorwith a a defaultlimit_valueof 1e50 to the form field used byNumberFilterinstances.In addition,
NumberFilterimplements the newget_max_validator()which should return a configured validator instance to customise the limit, or elseNoneto disable the additional validation.Workarounds
Users may manually apply an equivalent validator if they are not able to upgrade.
For more information
If you have any questions or comments about this advisory: * Open an issue in the django-filter repo
Thanks to Marcin Waraksa for the report.
- Database specific
{ "github_reviewed_at": "2020-09-28T19:04:39Z", "github_reviewed": true, "severity": "HIGH", "cwe_ids": [ "CWE-681" ], "nvd_published_at": "2021-04-29T21:15:00Z" }- References
-
- https://github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973
- https://nvd.nist.gov/vuln/detail/CVE-2020-15225
- https://github.com/carltongibson/django-filter/commit/340cf7a23a2b3dcd7183f6a0d6c383e85b130d2b
- https://github.com/carltongibson/django-filter
- https://github.com/carltongibson/django-filter/releases/tag/2.4.0
- https://github.com/pypa/advisory-database/tree/main/vulns/django-filter/PYSEC-2021-64.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DPHENTRHRAYFXYPPBT7JRHZRWILRY44S
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FAT2ZAEF6DM3VFSOHKB7X3ASSHGQHJAK
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVJ7AYU6FUSU3F653YCGW5LFD3IULRSX
- https://pypi.org/project/django-filter
- https://security.netapp.com/advisory/ntap-20210604-0010
Affected packages
PyPI / django-filter
Package
- Name
- django-filter
- View open source insights on deps.dev
- Purl
- pkg:pypi/django-filter