Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk: Med] Django (Due 12/11/23) #5952

Closed
Tracked by #137
tmpayton opened this issue Oct 11, 2023 · 1 comment
Closed
Tracked by #137

[Snyk: Med] Django (Due 12/11/23) #5952

tmpayton opened this issue Oct 11, 2023 · 1 comment
Assignees
@cnlucas
Labels
Security: moderate Remediate within 60 days
Milestone
Sprint 23.4

Comments

@tmpayton
Copy link
Contributor

tmpayton commented Oct 11, 2023
edited by cnlucas

django
Regular Expression Denial of Service (ReDoS)
VULNERABILITY

SCORE
551

Introduced through
django@3.2.21, django-jinja@2.10.2 and others
Fixed in
django@3.2.22, @4.1.12, @4.2.6

Exploit maturity
NO KNOWN EXPLOIT

Detailed paths and remediation
Introduced through: project@0.0.0 › django@3.2.21
Fix: Upgrade django to version 3.2.22 or 4.1.12 or 4.2.6
Introduced through: project@0.0.0 › django-jinja@2.10.2 › django@3.2.21
Fix: Pin django to version 3.2.22 or 4.1.12 or 4.2.6
Introduced through: project@0.0.0 › django-storages@1.7.1 › django@3.2.21
Fix: Pin django to version 3.2.22 or 4.1.12 or 4.2.6
…and 8 more

Security information
Factors contributing to the scoring:
Snyk: CVSS 5.3 - Medium Severity

NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the chars() and words() methods in the django.utils.text.Truncator function. An attacker can cause a denial of service by exploiting the inefficient regular expression complexity, which exhibits linear backtracking complexity and can be slow, given certain long and potentially malformed HTML inputs.

Introduced through
django@3.2.21, django-jinja@2.10.2 and others

Exploit maturity
No known exploit

Detailed paths

Introduced through: project@0.0.0 › django@3.2.21
Fix: No remediation path available.
Introduced through: project@0.0.0 › django-jinja@2.10.2 › django@3.2.21
Fix: No remediation path available.
Introduced through: project@0.0.0 › django-storages@1.7.1 › django@3.2.21
Fix: No remediation path available.

…and 8 more
Security information
Factors contributing to the scoring:

Snyk: [CVSS 5.3](https://security.snyk.io/vuln/SNYK-PYTHON-DJANGO-6041515) - Medium Severity
NVD: Not available. NVD has not yet published its analysis.

Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) via the NFKC normalization function in django.contrib.auth.forms.UsernameField. A potential attack can be executed via certain inputs with a very large number of Unicode characters.
@tmpayton tmpayton added the Security: moderate Remediate within 60 days label Oct 11, 2023
@tmpayton tmpayton added this to the Sprint 23.3 milestone Oct 11, 2023
@tmpayton tmpayton mentioned this issue Oct 11, 2023
Closed
3 tasks
@cnlucas cnlucas mentioned this issue Oct 18, 2023
Closed
2 tasks
This was referenced Oct 25, 2023
Closed
Closed
@cnlucas cnlucas mentioned this issue Nov 8, 2023
Closed
3 tasks
@pkfec pkfec mentioned this issue Nov 15, 2023
Closed
2 tasks
@cnlucas cnlucas mentioned this issue Nov 22, 2023
Closed
3 tasks
@cnlucas
Copy link
Member

cnlucas commented Nov 28, 2023

cloud-gov/cg-django-uaa#70

@cnlucas cnlucas mentioned this issue Nov 29, 2023
Merged
@tmpayton tmpayton mentioned this issue Nov 29, 2023
Closed
2 tasks
@cnlucas cnlucas closed this as completed Dec 7, 2023
@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cnlucas cnlucas

Labels
Security: moderate Remediate within 60 days
Projects
Website project
Archived in project
Milestone
Sprint 23.4
Development

No branches or pull requests
3 participants
@JonellaCulmer @cnlucas @tmpayton