Errata ALT-PU-2024-4593-1: Information
Fixes
Published: Feb. 6, 2024
BDU:2024-01517
Уязвимость программной платформы для веб-приложений Django, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
Published: Feb. 7, 2024
Modified: April 20, 2024
Modified: April 20, 2024
CVE-2024-24680
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
Published: March 15, 2024
Modified: July 3, 2024
Modified: July 3, 2024
CVE-2024-27351
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
Links:
- https://groups.google.com/forum/#%21forum/django-announce
- https://docs.djangoproject.com/en/5.0/releases/security/
- https://www.djangoproject.com/weblog/2024/mar/04/security-releases/
- FEDORA-2024-5c7fb64c74
- FEDORA-2024-2ec03ca8cb
- FEDORA-2024-84fbbbb914
- [oss-security] 20240304 Django: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()