Bug 2261856 (CVE-2024-24680)

Summary: CVE-2024-24680 Django: denial-of-service in ``intcomma`` template filter
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, apevec, bbuckingham, bcourt, brking, caswilli, dranck, eglynn, ehelms, epacific, ggainey, gtanzill, haoli, hkataria, jajackso, jcammara, jhardy, jjoyce, jmitchel, jneedle, jobarker, jschluet, jsherril, jtanner, juwatts, jweng, jwong, kaycoth, kegrant, kholdawa, koliveir, kshier, lcouzens, lhh, lsvaty, luizcosta, lzap, mabashia, mburns, mgarciac, mhulan, mminar, mskarbek, nmoumoul, nweather, omaciel, orabin, pbraun, pcreech, pgrist, rbiba, rbobbitt, rchan, rhos-maint, security-response-team, shvarugh, simaishi, smallamp, smcdonal, sskracic, stcannon, teagle, tfister, thavo, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: django 3.2.24, django 4.2.10, django 5.0.2 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Django. When used with very long strings, the intcomma template filter was subject to a potential denial of service attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2261858, 2261859, 2261860, 2261861, 2261862, 2261863, 2261864, 2261865, 2261866, 2261867, 2263504, 2263505, 2263506, 2263507    
Bug Blocks: 2261857    

Description Rohit Keshri 2024-01-30 06:41:14 UTC 
The ``intcomma`` template filter was subject to a potential denial-of-service
attack when used with very long strings.

Refer:
https://www.djangoproject.com/security/
Comment 3 Borja Tarraso 2024-02-09 13:00:24 UTC 
Created python-django tracking bugs for this issue:

Affects: epel-all [bug 2263504]
Affects: fedora-all [bug 2263505]
Affects: openstack-rdo [bug 2263507]


Created python-django3 tracking bugs for this issue:

Affects: fedora-all [bug 2263506]
Comment 4 errata-xmlrpc 2024-02-29 19:41:54 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1057 https://access.redhat.com/errata/RHSA-2024:1057
Comment 5 errata-xmlrpc 2024-04-02 19:30:28 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640
Comment 6 errata-xmlrpc 2024-04-18 01:52:08 UTC 
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2024:1878 https://access.redhat.com/errata/RHSA-2024:1878
Comment 7 errata-xmlrpc 2024-05-22 20:33:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:2731 https://access.redhat.com/errata/RHSA-2024:2731
Comment 8 errata-xmlrpc 2024-08-20 20:30:34 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2024:5662 https://access.redhat.com/errata/RHSA-2024:5662