CVE-2024-24680
Denial of Service vulnerability in django (PyPI)
What is CVE-2024-24680 About?
This vulnerability is a Denial-of-Service (DoS) attack in Django versions 3.2 before 3.2.24, 4.2 before 4.2.10, and 5.0 before 5.0.2. It affects the `intcomma` template filter when processing very long strings, leading to resource exhaustion. The ease of exploitation depends on the ability to supply extremely long strings that are processed by this filter.
Affected Software
- django
- >3.2, <3.2.24
- >4.2, <4.2.10
- >5.0, <5.0.2
Technical Details
The Denial of Service (DoS) vulnerability in Django's intcomma template filter (prior to versions 3.2.24, 4.2.10, and 5.0.2) occurs when it is used to format exceptionally long strings. The intcomma filter is designed to add commas to numerical strings. However, its implementation for handling very large input strings appears to be inefficient. When supplied with an overly long string, the computational resources required for the filter to process and format it become excessive, leading to a significant increase in CPU usage and memory consumption. This resource exhaustion can render the Django application unresponsive or cause it to crash, thus resulting in a denial of service for legitimate users.
What is the Impact of CVE-2024-24680?
Successful exploitation may allow attackers to cause a denial of service, rendering the Django application or website unresponsive and unavailable to users.
What is the Exploitability of CVE-2024-24680?
Exploitation of this Denial of Service vulnerability is of low to moderate complexity. It requires remote access to a Django application utilizing a vulnerable version and where the intcomma template filter is used on potentially user-controlled or otherwise large strings. No prior authentication or specific privileges are needed to trigger the vulnerability, assuming the attacker can introduce an extremely long string into a context where it will be processed by this filter. The primary attack vector involves supplying an excessively long string to a field or through a request parameter that eventually gets passed to intcomma. The likelihood of successful exploitation increases if applications display or process user-submitted content that includes large numerical or string values.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-24680?
Available Upgrade Options
- django
- >3.2, <3.2.24 → Upgrade to 3.2.24
- django
- >4.2, <4.2.10 → Upgrade to 4.2.10
- django
- >5.0, <5.0.2 → Upgrade to 5.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6
- https://github.com/django/django
- https://github.com/django/django/commit/55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX
- https://github.com/django/django/commit/16a8fe18a3b81250f4fa57e3f93f0599dc4895bc
- https://github.com/django/django/commit/c1171ffbd570db90ca206c30f8e2b9f691243820
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/
- https://github.com/django/django/commit/572ea07e84b38ea8de0551f4b4eda685d91d09d2
What are Similar Vulnerabilities to CVE-2024-24680?
Similar Vulnerabilities: CVE-2024-27351 , CVE-2022-36087 , CVE-2023-43665 , CVE-2019-14232 , CVE-2022-35919
