BIT-django-2024-39614
Denial-of-Service (DoS) vulnerability in django (PyPI)
What is BIT-django-2024-39614 About?
This is a Denial-of-Service (DoS) vulnerability affecting Django 5.0 before 5.0.7 and 4.2 before 4.2.14. It specifically impacts the `get_supported_language_variant()` function when processing very long strings with particular character sequences. An attacker can craft malicious input to cause the function to consume excessive resources, leading to a denial-of-service condition.
Affected Software
- django
- >5.0, <5.0.7
- >4.2, <4.2.14
Technical Details
The vulnerability lies within the get_supported_language_variant() function in Django 5.0 (versions before 5.0.7) and Django 4.2 (versions before 4.2.14). This function is susceptible to a denial-of-service attack when it processes extremely long input strings containing specific character patterns. These patterns can trigger inefficient string operations or regular expression evaluations within the function, leading to catastrophic backtracking or excessive computational load. This resource exhaustion ultimately causes the server to become unresponsive, denying service to legitimate users.
What is the Impact of BIT-django-2024-39614?
Successful exploitation may allow attackers to cause a denial-of-service condition, rendering the Django application or service unavailable to legitimate users by consuming excessive CPU or memory resources.
What is the Exploitability of BIT-django-2024-39614?
Exploitation requires sending a request containing a very long string with specific characters that targets the get_supported_language_variant() function. This typically involves crafting a malicious HTTP request to an endpoint that internally uses this function. No authentication or elevated privileges are required, making it an unauthenticated remote attack. The complexity lies in identifying the precise character sequences that trigger the resource exhaustion. Risk factors include public-facing Django applications with insufficient input length validation or rate limiting on requests that interact with this function.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Abdurahmon3236 | Link | PoC for CVE-2024-39614 |
What are the Available Fixes for BIT-django-2024-39614?
About the Fix from Resolved Security
Available Upgrade Options
- django
- >4.2, <4.2.14 → Upgrade to 4.2.14
- django
- >5.0, <5.0.7 → Upgrade to 5.0.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.djangoproject.com/weblog/2024/jul/09/security-releases
- https://www.djangoproject.com/weblog/2024/jul/09/security-releases/
- https://nvd.nist.gov/vuln/detail/CVE-2024-39614
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://osv.dev/vulnerability/GHSA-f6f8-9mx6-9mx2
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-59.yaml
- https://github.com/django/django
- https://github.com/django/django/commit/8e7a44e4bec0f11474699c3111a5e0a45afe7f49
- https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7435780
What are Similar Vulnerabilities to BIT-django-2024-39614?
Similar Vulnerabilities: CVE-2024-45230 , CVE-2023-5072 , CVE-2023-28155 , CVE-2022-25911 , CVE-2021-3918
