Multiple vulnerabilities in Django
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2024-45230 CVE-2024-45231 |
| CWE-ID | CWE-399 CWE-209 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Django Web applications / CMS |
| Vendor | Django Software Foundation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Resource management error
EUVDB-ID: #VU96742
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-45230
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources in urlize and urlizetrunc. A remote attacker can pass very large inputs with a specific sequence of characters the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsDjango: 4.2 - 5.1
CPE2.3- cpe:2.3:a:django_software_foundation:django:4.2.15:*:*:*:*:*:*:*
- cpe:2.3:a:django_software_foundation:django:5.1:*:*:*:*:*:*:*
https://www.djangoproject.com/weblog/2024/sep/03/security-releases/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information Exposure Through an Error Message
EUVDB-ID: #VU96743
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-45231
CWE-ID:
CWE-209 - Information Exposure Through an Error Message
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to enumerate email addresses.
The vulnerability exists due to an error when handling password reset in django.contrib.auth.forms.PasswordResetForm. A remote attacker can enumerate user email addresses.
Install updates from vendor's website.
Vulnerable software versionsDjango: 4.2 - 5.1
CPE2.3https://www.djangoproject.com/weblog/2024/sep/03/security-releases/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
