[Snyk:Medium] django Denial of Service (DoS)(due by 03/20/2022)

[fec-jli]

Overview

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Denial of Service (DoS) via UserAttributeSimilarityValidator, when evaluating submitted passwords that are extremely large relatively to the comparison values. This issue is mitigated in newer versions by ignoring long values in UserAttributeSimilarityValidator.

Note: it is exploitable under the assumption that access to user registration is unrestricted.

https://app.snyk.io/org/fecgov/project/ff0dca01-794e-4c1c-bf1f-0c0f8932fadd/#issue-SNYK-PYTHON-DJANGO-2329160

Introduced through:

Introduced through: project@0.0.0 › django@3.1.13
Fix: Upgrade django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › cg-django-uaa@2.1.1 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › django-jinja@2.7.0 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › django-storages@1.7.1 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › wagtail@2.11.8 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › wagtail@2.11.8 › django-filter@2.4.0 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › wagtail@2.11.8 › django-taggit@1.5.1 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › wagtail@2.11.8 › django-treebeard@4.5.1 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › wagtail@2.11.8 › djangorestframework@3.13.1 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › django-libsass@0.7 › django-compressor@3.1 › django-appconf@1.0.5 › django@3.1.13

Remediation:

Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1

Completion criteria:

• Fix: Pin django to version 3.2.11

[patphongs]

Our CMS authentication is using a separate cloud.gov authentication system. Therefore, we don't allow users to register using our system and this is not a vulnerability. We will be upgrading django to 3.2.11 in a follow-up ticket once we've upgraded Wagtail.

[cnlucas]

We need to upgrade to 3.2.12 in the follow up ticket due to this vulnerability and the XSS vulnerability. We are currently not using the affected template tag, but 3.2.12 is needed anyway.