2136130 – (CVE-2022-41323) CVE-2022-41323 python-django: Potential denial-of-service vulnerability in internationalized URLs

Bug 2136130 (CVE-2022-41323) - CVE-2022-41323 python-django: Potential denial-of-service vulnerability in internationalized URLs

Summary: CVE-2022-41323 python-django: Potential denial-of-service vulnerability in in...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-41323
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2136879 2136134 2136135 2136136 2136137 2136138 2136139 2138114
Blocks:	2132135
TreeView+	depends on / blocked

Reported:	2022-10-19 12:08 UTC by ybuenos
Modified:	2023-05-03 13:20 UTC (History)
CC List:	46 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A denial of service flaw was discovered in Django. This issue occurs when incorrectly handling certain internationalized URLs. A malicious attacker could use this issue to cause a crash, resulting in a denial of service.
Clone Of:
Environment:
Last Closed:	2023-02-14 22:42:11 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:0742	0	None	None	None	2023-02-13 12:00:36 UTC
Red Hat Product Errata	RHSA-2023:2097	0	None	None	None	2023-05-03 13:20:00 UTC

Description ybuenos 2022-10-19 12:08:20 UTC

In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.

https://docs.djangoproject.com/en/4.0/releases/security/
https://github.com/django/django/commit/5b6b257fa7ec37ff27965358800c67e2dd11c924
https://www.djangoproject.com/weblog/2022/oct/04/security-releases/
https://groups.google.com/forum/#!forum/django-announce

Comment 1 ybuenos 2022-10-19 12:15:52 UTC

Created python-django tracking bugs for this issue:

Affects: fedora-35 [bug 2136135]
Affects: fedora-36 [bug 2136136]


Created python-django3 tracking bugs for this issue:

Affects: epel-8 [bug 2136134]
Affects: fedora-36 [bug 2136137]

Comment 18 errata-xmlrpc 2023-02-13 12:00:33 UTC

This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2023:0742 https://access.redhat.com/errata/RHSA-2023:0742

Comment 19 Product Security DevOps Team 2023-02-14 22:42:08 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41323

Comment 20 errata-xmlrpc 2023-05-03 13:19:57 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.13 for RHEL 8

Via RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097

Note You need to log in before you can comment on or make changes to this bug.

adudiak
aoconnor
apevec
bbuckingham
bcoca
bcourt
bkearney
bniver
btotty
davidn
eglynn
ehelms
epacific
flucifre
gmeno
jcammara
jhardy
jjoyce
jneedle
jobarker
jsherril
lhh
lzap
mabashia
mbenjamin
mburns
mgarciac
mhackett
mhulan
mmccune
myarboro
nmoumoul
orabin
osapryki
pcreech
rchan
rhos-maint
simaishi
smcdonal
sostapov
spower
stcannon
tfister
vereddy
yguenane
zsadeh