Bug 2261856 (CVE-2024-24680) - CVE-2024-24680 Django: denial-of-service in ``intcomma`` template filter
Summary: CVE-2024-24680 Django: denial-of-service in ``intcomma`` template filter
Keywords:
Status: NEW
Alias: CVE-2024-24680
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2261861 2261862 2261866 2261867 2263507 2261858 2261859 2261860 2261863 2261864 2261865 2263504 2263505 2263506
Blocks: 2261857
TreeView+ depends on / blocked
 
Reported: 2024-01-30 06:41 UTC by Rohit Keshri
Modified: 2024-05-22 20:33 UTC (History)
50 users (show)

Fixed In Version: django 3.2.24, django 4.2.10, django 5.0.2
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Django. When used with very long strings, the intcomma template filter was subject to a potential denial of service attack.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:1057 0 None None None 2024-02-29 19:41:57 UTC
Red Hat Product Errata RHSA-2024:1640 0 None None None 2024-04-02 19:30:31 UTC
Red Hat Product Errata RHSA-2024:1878 0 None None None 2024-04-18 01:52:11 UTC
Red Hat Product Errata RHSA-2024:2731 0 None None None 2024-05-22 20:33:15 UTC

Description Rohit Keshri 2024-01-30 06:41:14 UTC
The ``intcomma`` template filter was subject to a potential denial-of-service
attack when used with very long strings.

Refer:
https://www.djangoproject.com/security/

Comment 3 Borja Tarraso 2024-02-09 13:00:24 UTC
Created python-django tracking bugs for this issue:

Affects: epel-all [bug 2263504]
Affects: fedora-all [bug 2263505]
Affects: openstack-rdo [bug 2263507]


Created python-django3 tracking bugs for this issue:

Affects: fedora-all [bug 2263506]

Comment 4 errata-xmlrpc 2024-02-29 19:41:54 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1057 https://access.redhat.com/errata/RHSA-2024:1057

Comment 5 errata-xmlrpc 2024-04-02 19:30:28 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640

Comment 6 errata-xmlrpc 2024-04-18 01:52:08 UTC
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2024:1878 https://access.redhat.com/errata/RHSA-2024:1878

Comment 7 errata-xmlrpc 2024-05-22 20:33:12 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:2731 https://access.redhat.com/errata/RHSA-2024:2731


Note You need to log in before you can comment on or make changes to this bug.