BIT-django-2024-38875
Denial of Service vulnerability in django (PyPI)
What is BIT-django-2024-38875 About?
This vulnerability in Django's `urlize` and `urlizetrunc` functions can lead to a denial of service. Attackers can provide specially crafted inputs containing a large number of brackets to exhaust system resources, making the application unavailable. Exploitation is relatively straightforward, requiring only the submission of malformed inputs.
Affected Software
- django
- >5.0, <5.0.7
- >4.2, <4.2.14
Technical Details
The vulnerability lies within the urlize and urlizetrunc functions in Django versions 4.2 before 4.2.14 and 5.0 before 5.0.7. These functions are susceptible to a denial-of-service attack when processing inputs that contain a very large number of brackets. The excessive number of brackets causes the functions to consume a disproportionate amount of CPU time and memory during parsing and processing, leading to resource exhaustion. This can render the Django application unresponsive or crash it, effectively denying service to legitimate users when an attacker provides the triggering input.
What is the Impact of BIT-django-2024-38875?
Successful exploitation may allow attackers to cause a denial of service, rendering the application or system unavailable to legitimate users.
What is the Exploitability of BIT-django-2024-38875?
Exploitation of this denial-of-service vulnerability is relatively low in complexity. The attacker primarily needs the ability to provide input to the urlize or urlizetrunc functions, which are often exposed through user-submitted content fields. There are no specific authentication or privilege requirements to trigger the vulnerability, as typically these functions process publicly accessible or user-generated content. This is a remote attack, as the attacker can send the malicious input over the network. The main prerequisite is that the Django application uses the affected urlize or urlizetrunc functions and processes untrusted input, increasing the likelihood of exploitation in public-facing applications.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-django-2024-38875?
About the Fix from Resolved Security
Available Upgrade Options
- django
- >4.2, <4.2.14 → Upgrade to 4.2.14
- django
- >5.0, <5.0.7 → Upgrade to 5.0.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.djangoproject.com/weblog/2024/jul/09/security-releases
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-56.yaml
- https://www.djangoproject.com/weblog/2024/jul/09/security-releases/
- https://osv.dev/vulnerability/PYSEC-2024-56
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://github.com/django/django
- https://github.com/django/django/commit/79f368764295df109a37192f6182fb6f361d85b5
- https://docs.djangoproject.com/en/dev/releases/security
- https://osv.dev/vulnerability/GHSA-qg2p-9jwr-mmqf
What are Similar Vulnerabilities to BIT-django-2024-38875?
Similar Vulnerabilities: CVE-2023-46738 , CVE-2023-27461 , CVE-2022-42111 , CVE-2021-3620 , CVE-2020-13936
