SUSE update for python-Django



Published: 2024-09-04
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2024-45230
CVE-2024-45231
CWE-ID CWE-399
CWE-209
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		openSUSE Leap
Operating systems & Components / Operating system

python3-Django
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Resource management error

EUVDB-ID: #VU96742

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-45230

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources in urlize and urlizetrunc. A remote attacker can pass very large inputs with a specific sequence of characters the application and perform a denial of service (DoS) attack.

Mitigation

Update the affected package python-Django to the latest version.

Vulnerable software versions

openSUSE Leap: 15.5

python3-Django: before 2.0.7-150000.1.33.1

CPE2.3 External links

http://www.suse.com/support/update/announcement/2024/suse-su-20243139-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information Exposure Through an Error Message

EUVDB-ID: #VU96743

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-45231

CWE-ID: CWE-209 - Information Exposure Through an Error Message

Exploit availability: No

Description

The vulnerability allows a remote attacker to enumerate email addresses.

The vulnerability exists due to an error when handling password reset in django.contrib.auth.forms.PasswordResetForm. A remote attacker can enumerate user email addresses.

Mitigation

Update the affected package python-Django to the latest version.

Vulnerable software versions

openSUSE Leap: 15.5

python3-Django: before 2.0.7-150000.1.33.1

CPE2.3 External links

http://www.suse.com/support/update/announcement/2024/suse-su-20243139-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###