#VU17717 Resource exhaustion in Django - CVE-2019-6975


Vulnerability identifier: #VU17717

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-6975

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Django
Web applications / CMS

Vendor: Django Software Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper memory operations that exist when the django.utils.numberformat.format() function receives a decimal with a large number of digits or a large component. A remote attacker can send a request that submits malicious input, consume excessive amounts of memory resources, resulting in a DoS condition.

Mitigation
The vulnerability has been addressed in the versions 2.1.6, 2.0.11, 1.11.19.

Vulnerable software versions

Django: 1.11 - 1.11.18, 2.0.0 - 2.1.5

External links
https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/forum/#!topic/django-announce/WTwEAprR0IQ
https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
https://www.openwall.com/lists/oss-security/2019/02/11/1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Debian update for python-django
Fedora 28 update for python2-django1.11
Fedora 29 update for python2-django1.11
Resource exhaustion in py-django (Alpine package)
Fedora 29 update for python-django
Fedora 28 update for python-django
Fedora EPEL 7 update for python-django
Fedora 28 update for python-django
Fedora 29 update for python-django
Ubuntu update for Django