django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter before version 2.4.0, automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. In addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade. References: https://github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973 https://github.com/carltongibson/django-filter/commit/340cf7a23a2b3dcd7183f6a0d6c383e85b130d2b https://pypi.org/project/django-filter/ https://github.com/carltongibson/django-filter/releases/tag/2.4.0
Created python-django-filter tracking bugs for this issue: Affects: epel-all [bug 1955774] Affects: fedora-all [bug 1955773]
Analysis is complete for AAP. Currently, the pulp-core component does use the affected version i.e. 2.3.0 along with the vulnerable function i.e. NumberFilter in one of the pulp-core end point . Hence, marking it as "Affected/Delegated".
Hi @amctagga, Could you please elaborate a bit on the CVSS Score difference. To be specific, why AV as Local and AC as Low. As I have different view on this.
In reply to comment #5: > Hi @amctagga, > > Could you please elaborate a bit on the CVSS Score difference. To be > specific, why AV as Local and AC as Low. As I have different view on this. hmm, if you agree with NIST, I'm happy to change it, it was a first pass attempt. I think a full denial of service should be AC=high and I put AV as local assuming one would need access to the system to send input, but I can see a scenario where network makes sense. What do you think makes sense here?
Hi @amctagga, Thanks for your response. From my point of view, Attack Complexity i.e. AC should be Low in this case, as all the user need to do is to input using exponential format with sufficiently large exponents and the NumberFilter` instance automatically converts them to a large integer. So, there is no complex exploit here. NOTE: Currently, only pulpcore component does use the affected NumberFilter functionality as confirmed by Ansible Engineering Team.. However, when it comes to Attack Vector, though the affected functionality can be accessed by authenticated users only, it doesn't have to be local.Hence, I found AV as Network. Coming to Privilege Required parameter, as stated above as well, in order to access the affected functionality i.e. NumberFilter, the User must have valid Hub credential. It doesn't have to be high privilege. So, I found PR as Low i.e. PR=Low. So, to conclude, its AC = L, AV = N and PR = L which makes the CVSS score to 6.5 . Let me know, if you find this accurate Or having any 2nd thought on this. Kind Regards, Tapas J
Red Hat's Justification for CVSS Difference *PR (Privilege Required) : NVD -> N , RH - > L : In order to access the affected functionality i.e. NumberFilter, the User must have valid Hub credential. It doesn't have to be high privilege. So, I found PR as Low i.e. PR=L.
Red Hat's Justification for CVSS Difference *PR : In order to access the affected functionality i.e. NumberFilter, the User must have valid Ansible Automation Hub credential. It doesn't have to be high privilege though. Hence, it feels adequate that Privilege Required should be Low i.e PR = L.
In reply to comment #7: > Hi @amctagga, > > Thanks for your response. From my point of view, Attack Complexity i.e. AC > should be Low in this case, as all the user need to do is to input using > exponential format with sufficiently large exponents and the NumberFilter` > instance automatically converts them to a large integer. So, there is no > complex exploit here. > > NOTE: Currently, only pulpcore component does use the affected NumberFilter > functionality as confirmed by Ansible Engineering Team.. > > However, when it comes to Attack Vector, though the affected functionality > can be accessed by authenticated users only, it doesn't have to be > local.Hence, I found AV as Network. > > Coming to Privilege Required parameter, as stated above as well, in order to > access the affected functionality i.e. NumberFilter, the User must have > valid Hub credential. It doesn't have to be high privilege. So, I found PR > as Low i.e. PR=Low. > > So, to conclude, its AC = L, AV = N and PR = L which makes the CVSS score to > 6.5 . Let me know, if you find this accurate Or having any 2nd thought on > this. > > Kind Regards, > Tapas J sounds good to me!