pip

Django vulnerable to Denial of Service

High severity GitHub Reviewed Published Jul 10, 2024 to the GitHub Advisory Database • Updated Jul 10, 2024

Package

Django (pip)

Affected versions

>= 5.0, < 5.0.7

>= 4.2, < 4.2.14

Patched versions

5.0.7

4.2.14

Description

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-39614
https://docs.djangoproject.com/en/dev/releases/security
https://groups.google.com/forum/#%21forum/django-announce
https://www.djangoproject.com/weblog/2024/jul/09/security-releases
django/django@17358fb
django/django@8e7a44e
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-59.yaml

Published by the National Vulnerability Database

Jul 10, 2024

Published to the GitHub Advisory Database Jul 10, 2024

Reviewed Jul 10, 2024

Last updated Jul 10, 2024

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Django vulnerable to Denial of Service

Package

Affected versions

Patched versions

Description

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code