Lucene search

K

GoogleOSV:GHSA-JH3W-4VVF-MJGR

HistoryJul 03, 2023 - 3:30 p.m.

Django has regular expression denial of service vulnerability in EmailValidator/URLValidator

2023-07-0315:30:45

Google

osv.dev

6

django

regular expression

denial of service

emailvalidator

urlvalidator

vulnerability

software

redos

attack

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

50.5%

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.

CPENameOperatorVersion
djangoeq3.2.19
djangoeq4.0.1
djangoeq4.0.6
djangoeq3.2.11
djangoeq4.0.8
djangoeq3.2.2
djangoeq3.2
djangoeq3.2.8
djangoeq4.0.2
djangoeq4.1.4

Rows per page:

1-10 of 471

References

docs.djangoproject.com/en/4.2/releases/security

github.com/django/django

github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582

github.com/django/django/commit/ad0410ec4f458aa39803e5f6b9a3736527062dcd

github.com/django/django/commit/b7c5feb35a31799de6e582ad6a5a91a9de74e0f9

github.com/django/django/commit/beb3f3d55940d9aa7198bf9d424ab74e873aec3d

github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-100.yaml

groups.google.com/forum/#!forum/django-announce

groups.google.com/forum/#%21forum/django-announce

lists.debian.org/debian-lts-announce/2023/07/msg00022.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS

lists.fedoraproject.org/archives/list/[email protected]/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A

lists.fedoraproject.org/archives/list/[email protected]/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS

nvd.nist.gov/vuln/detail/CVE-2023-36053

www.debian.org/security/2023/dsa-5465

www.djangoproject.com/weblog/2023/jul/03/security-releases

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

50.5%

Related for OSV:GHSA-JH3W-4VVF-MJGR

prion1 debian2 openvas15 redhatcve1 redhat6 nessus20 redos1 mageia1 osv7 vulnrichment1 nvd1 veracode1 ubuntu2 freebsd1 github1 ubuntucve1 debiancve1 cve1 cvelist1 fedora5 ibm1 rocky1