CVE-2022-41323

python-django: Potential denial-of-service vulnerability in internationalized URLs

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.

En Django versiones 3.2 anteriores a 3.2.16, 4.0 anteriores a 4.0.8, y 4.1 anteriores a 4.1.2, las URLs internacionalizadas estaban sujetas a un potencial ataque de denegación de servicio por medio del parámetro locale, que es tratado como una expresión regular

A denial of service flaw was discovered in Django. This issue occurs when incorrectly handling certain internationalized URLs. A malicious attacker could use this issue to cause a crash, resulting in a denial of service.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-23 CVE Reserved
2022-10-04 CVE Published
2024-06-06 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (12)

URL	Tag	Source
https://groups.google.com/forum/#%21forum/django-announce
https://security.netapp.com/advisory/ntap-20221124-0001	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/django/django/commit/5b6b257fa7ec37ff27965358800c67e2dd11c924	2023-11-07

URL	Date	SRC
https://docs.djangoproject.com/en/4.0/releases/security	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP	2023-11-07
https://www.djangoproject.com/weblog/2022/oct/04/security-releases	2023-11-07
https://access.redhat.com/security/cve/CVE-2022-41323	2023-05-03
https://bugzilla.redhat.com/show_bug.cgi?id=2136130	2023-05-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				>= 3.2 < 3.2.16 Search vendor "Djangoproject" for product "Django" and version " >= 3.2 < 3.2.16"		-		Affected
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				>= 4.0 < 4.0.8 Search vendor "Djangoproject" for product "Django" and version " >= 4.0 < 4.0.8"		-		Affected
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				>= 4.1 < 4.1.2 Search vendor "Djangoproject" for product "Django" and version " >= 4.1 < 4.1.2"		-		Affected