Ubuntu update for python-django
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2024-45230 CVE-2024-45231 |
| CWE-ID | CWE-399 CWE-209 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Ubuntu Operating systems & Components / Operating system python3-django (Ubuntu package) Operating systems & Components / Operating system package or component python-django (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Resource management error
EUVDB-ID: #VU96742
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-45230
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources in urlize and urlizetrunc. A remote attacker can pass very large inputs with a specific sequence of characters the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected package python-django to the latest version.
Vulnerable software versionsUbuntu: 18.04 - 24.04
python3-django (Ubuntu package): before Ubuntu Pro
python-django (Ubuntu package): before Ubuntu Pro
CPE2.3- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:24.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:python3-django_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:python-django_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6987-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information Exposure Through an Error Message
EUVDB-ID: #VU96743
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-45231
CWE-ID:
CWE-209 - Information Exposure Through an Error Message
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to enumerate email addresses.
The vulnerability exists due to an error when handling password reset in django.contrib.auth.forms.PasswordResetForm. A remote attacker can enumerate user email addresses.
Update the affected package python-django to the latest version.
Vulnerable software versionsUbuntu: 18.04 - 24.04
python3-django (Ubuntu package): before Ubuntu Pro
python-django (Ubuntu package): before Ubuntu Pro
CPE2.3- cpe:2.3:o:canonical:python3-django_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:python-django_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6987-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
