#VU94376 Inefficient regular expression complexity in wagtail - CVE-2024-39317

Cybersecurity Help s.r.o.

Published: 2024-07-16

Vulnerability identifier: #VU94376

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-39317

CWE-ID: CWE-1333

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
wagtail
Web applications / CMS

Vendor: Torchbox

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions within parse_query_string. A remote user can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

wagtail: 5.2 rc1 - 6.1.2

External links
https://github.com/wagtail/wagtail/security/advisories/GHSA-jmp3-39vp-fwg8
https://github.com/wagtail/wagtail/commit/31b1e8532dfb1b70d8d37d22aff9cbde9109cdf2
https://github.com/wagtail/wagtail/commit/3c941136f79c48446e3858df46e5b668d7f83797
https://github.com/wagtail/wagtail/commit/b783c096b6d4fd2cfc05f9137a0be288850e99a2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Inefficient regular expression complexity in Wagtail