oss-sec mailing list archives
Django CVE-2024-41989, CVE-2024-41990, CVE-2024-41991, and CVE-2024-42005
From: Sarah Boyce <sarahboyce () djangoproject com>
Date: Tue, 6 Aug 2024 16:27:58 +0200
From: https://www.djangoproject.com/weblog/2024/aug/06/security-releases/ In accordance with `our security release policy <https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django team is issuing releases for `Django 5.0.8 <https://docs.djangoproject.com/en/dev/releases/5.0.8/>`_ and `Django 4.2.15 <https://docs.djangoproject.com/en/dev/releases/4.2.15/>`_. These releases address the security issues detailed below. We encourage all users of Django to upgrade as soon as possible. CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()`` ================================================================================ The ``floatformat`` template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. Thanks to Elias Myllymäki for the report. This issue has severity "moderate" according to the Django security policy. CVE-2024-41990: Potential denial-of-service in ``django.utils.html.urlize()`` ============================================================================= The ``urlize()`` and ``urlizetrunc()`` template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. Thanks to `MProgrammer <https://hackerone.com/mprogrammer>`_ for the report. This issue has severity "moderate" according to the Django security policy. CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget`` ======================================================================================================================= The ``urlize`` and ``urlizetrunc`` template filters, and the ``AdminURLFieldWidget`` widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Thanks to Seokchan Yoon for the report. This issue has severity "moderate" according to the Django security policy. CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()`` ====================================================================================== ``QuerySet.values()`` and ``values_list()`` methods on models with a ``JSONField`` are subject to SQL injection in column aliases via a crafted JSON object key as a passed ``*arg``. Thanks to Eyal Gabay of EyalSec for the report. This issue has severity "moderate" according to the Django security policy. Affected supported versions =========================== * Django main branch * Django 5.1 (currently at release candidate status) * Django 5.0 * Django 4.2 Resolution ========== Patches to resolve the issue have been applied to Django's main, 5.1, 5.0, and 4.2 branches. The patches may be obtained from the following changesets. CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()`` -------------------------------------------------------------------------------- * On the `main branch < https://github.com/django/django/commit/c19465ad87e33b6122c886b97a202ad54cd43672/
`__
* On the `5.1 branch < https://github.com/django/django/commit/0504af64292071e1a9565193ea8265c60600f7d7/
`__
* On the `5.0 branch < https://github.com/django/django/commit/27900fe56f3d3cabb4aeb6ccb82f92bab29073a8/
`__
* On the `4.2 branch < https://github.com/django/django/commit/fc76660f589ac07e45e9cd34ccb8087aeb11904b/
`__
CVE-2024-41990: Potential denial-of-service in ``django.utils.html.urlize()`` ----------------------------------------------------------------------------- * On the `main branch < https://github.com/django/django/commit/ecf1f8fb900f94de08c945164633e9a28a2edadb/
`__
* On the `5.1 branch < https://github.com/django/django/commit/0c1a8909164d8f2846322efb1143b72ad1616bd8/
`__
* On the `5.0 branch < https://github.com/django/django/commit/7b7b909579c8311c140c89b8a9431bf537febf93/
`__
* On the `4.2 branch < https://github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88/
`__
CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget`` ----------------------------------------------------------------------------------------------------------------------- * On the `main branch < https://github.com/django/django/commit/5f1757142febd95994caa1c0f64c1a0c161982c3/
`__
* On the `5.1 branch < https://github.com/django/django/commit/bd807c0c25ab69361a4c08edcc1cf04d4652aa0a/
`__
* On the `5.0 branch < https://github.com/django/commit/django/523da8771bce321023f490f70d71a9e973ddc927/
`__
* On the `4.2 branch < https://github.com/django/django/commit/efea1ef7e2190e3f77ca0651b5458297bc0f6a9f/
`__
CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()`` -------------------------------------------------------------------------------------- * On the `main branch < https://github.com/django/django/commit/c87bfaacf8fb84984243b5055dc70f97996cb115/
`__
* On the `5.1 branch < https://github.com/django/django/commit/e2583fbc2ebffce11b4444a7cec6336513e81f8b/
`__
* On the `5.0 branch < https://github.com/django/django/commit/32ebcbf2e1fe3e5ba79a6554a167efce81f7422d/
`__
* On the `4.2 branch < https://github.com/django/django/commit/f4af67b9b41e0f4c117a8741da3abbd1c869ab28/
`__
The following releases have been issued ======================================= * Django 5.0.8 (`download Django 5.0.8 <https://www.djangoproject.com/m/releases/5.0/Django-5.0.8.tar.gz>`_ | `5.0.8 checksums <https://www.djangoproject.com/m/pgp/Django-5.0.8.checksum.txt>`_) * Django 4.2.15 (`download Django 4.2.15 <https://www.djangoproject.com/m/releases/4.2/Django-4.2.15.tar.gz>`_ | `4.2.15 checksums <https://www.djangoproject.com/m/pgp/Django-4.2.15.checksum.txt>`_) The PGP key ID used for this release is Sarah Boyce: `3955B19851EA96EF < https://github.com/sarahboyce.gpg>`_ General notes regarding security reporting ========================================== As always, we ask that potential security issues be reported via private email to ``security () djangoproject com``, and not via Django's Trac instance, nor via the Django Forum, nor via the django-developers list. Please see `our security policies <https://www.djangoproject.com/security/>`_ for further information.
Current thread:
- Django CVE-2024-41989, CVE-2024-41990, CVE-2024-41991, and CVE-2024-42005 Sarah Boyce (Aug 06)