Multiple vulnerabilities in Django



Published: 2019-08-01
Risk High
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2019-14232
CVE-2019-14233
CVE-2019-14234
CVE-2019-14235
CWE-ID CWE-399
CWE-89
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Django
Web applications / CMS

Vendor Django Software Foundation

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Resource management error

EUVDB-ID: #VU19617

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-14232

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to usage of truncatechars_html and truncatewords_html template filters in django.utils.text.Truncator during evaluation of HTML content. A remote attacker can pass large content in HTML format to the application and trigger resource exhaustion.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Django: 2.1.0 - 2.2.3, 1.11.1 - 1.11.22


CPE2.3 External links

http://www.djangoproject.com/weblog/2019/aug/01/security-releases/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Resource management error

EUVDB-ID: #VU19618

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-14233

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to usage of django.utils.html.strip_tags() during evaluation of HTML content. A remote attacker can pass large content in HTML format to the application and trigger resource exhaustion.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Django: 2.1.0 - 2.2.3, 1.11.1 - 1.11.22


CPE2.3 External links

http://www.djangoproject.com/weblog/2019/aug/01/security-releases/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) SQL injection

EUVDB-ID: #VU19619

Risk: High

CVSSv3.1:

CVE-ID: CVE-2019-14234

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in django.contrib.postgres.fields.JSONField and django.contrib.postgres.fields.HStoreField. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Django: 2.1.0 - 2.2.3, 1.11.1 - 1.11.22


CPE2.3 External links

http://www.djangoproject.com/weblog/2019/aug/01/security-releases/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Resource management error

EUVDB-ID: #VU19620

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-14235

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error when parsing URF-8 data with django.utils.encoding.uri_to_iri(). A remote attacker can pass specially crafted content to the application and consume all available memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Django: 2.1.0 - 2.2.3, 1.11.1 - 1.11.22


CPE2.3 External links

http://www.djangoproject.com/weblog/2019/aug/01/security-releases/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###