CVE-2024-24680

Django: denial-of-service in ``intcomma`` template filter

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.

Se descubrió un problema en Django 3.2 anterior a 3.2.24, 4.2 anterior a 4.2.10 y Django 5.0 anterior a 5.0.2. El filtro de plantilla intcomma estaba sujeto a un posible ataque de denegación de servicio cuando se utilizaba con cadenas muy largas.

A vulnerability was found in Django. When used with very long strings, the intcomma template filter was subject to a potential denial of service attack.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-01-26 CVE Reserved
2024-02-06 CVE Published
2024-04-20 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (7)

URL	Tag	Source
https://www.djangoproject.com/weblog/2024/feb/06/security-releases	Release Notes

URL	Date	SRC

URL	Date	SRC
https://docs.djangoproject.com/en/5.0/releases/security	2024-04-20

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX	2024-04-20
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6	2024-04-20
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D	2024-04-20
https://access.redhat.com/security/cve/CVE-2024-24680	2024-08-20
https://bugzilla.redhat.com/show_bug.cgi?id=2261856	2024-08-20

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				>= 3.2 < 3.2.24 Search vendor "Djangoproject" for product "Django" and version " >= 3.2 < 3.2.24"		-		Affected
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				>= 4.2 < 4.2.10 Search vendor "Djangoproject" for product "Django" and version " >= 4.2 < 4.2.10"		-		Affected
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				>= 5.0 < 5.0.2 Search vendor "Djangoproject" for product "Django" and version " >= 5.0 < 5.0.2"		-		Affected