GHSA-53qw-q765-4fww

Source

https://github.com/advisories/GHSA-53qw-q765-4fww

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-53qw-q765-4fww/GHSA-53qw-q765-4fww.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-53qw-q765-4fww

Aliases

Published

2022-01-12T19:20:53Z

Modified

2024-09-20T16:24:50.598077Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Denial-of-service in Django

Details

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.

Database specific

{
    "cwe_ids": [
        "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-12T19:18:33Z",
    "nvd_published_at": "2022-01-05T00:15:00Z",
    "severity": "HIGH"
}

References

Affected packages

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2a1

Fixed

2.2.26

Affected versions

2.*

2.2a1

2.2b1

2.2rc1

2.2

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.2.16

2.2.17

2.2.18

2.2.19

2.2.20

2.2.21

2.2.22

2.2.23

2.2.24

2.2.25

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-53qw-q765-4fww/GHSA-53qw-q765-4fww.json"

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.2a1

Fixed

3.2.11

Affected versions

3.*

3.2a1

3.2b1

3.2rc1

3.2

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

3.2.10

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-53qw-q765-4fww/GHSA-53qw-q765-4fww.json"

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0a1

Fixed

4.0.1

Affected versions

4.*

4.0a1

4.0b1

4.0rc1

4.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-53qw-q765-4fww/GHSA-53qw-q765-4fww.json"