Bug 1955772 (CVE-2020-15225) - CVE-2020-15225 python-django-filter: Maliciously input using exponential format may cause denial of service
Summary: CVE-2020-15225 python-django-filter: Maliciously input using exponential form...
Keywords:
Status: NEW
Alias: CVE-2020-15225
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1959831 1965076 1955773 1955774
Blocks: 1955775
TreeView+ depends on / blocked
 
Reported: 2021-04-30 18:35 UTC by Pedro Sampaio
Modified: 2021-12-20 17:33 UTC (History)
28 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-django-filter. Automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2021-04-30 18:35:34 UTC
django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter before version 2.4.0, automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. In addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade.

References:

https://github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973
https://github.com/carltongibson/django-filter/commit/340cf7a23a2b3dcd7183f6a0d6c383e85b130d2b
https://pypi.org/project/django-filter/
https://github.com/carltongibson/django-filter/releases/tag/2.4.0

Comment 1 Pedro Sampaio 2021-04-30 18:36:20 UTC
Created python-django-filter tracking bugs for this issue:

Affects: epel-all [bug 1955774]
Affects: fedora-all [bug 1955773]

Comment 3 Tapas Jena 2021-05-26 18:32:56 UTC
Analysis is complete for AAP. Currently, the pulp-core component does use the affected version i.e. 2.3.0 along with the vulnerable function i.e. NumberFilter in one of the pulp-core end point . Hence, marking it as "Affected/Delegated".

Comment 5 Tapas Jena 2021-05-26 18:37:38 UTC
Hi @amctagga,

Could you please elaborate a bit on the CVSS Score difference. To be specific, why AV as Local and AC as Low. As I have different view on this.

Comment 6 amctagga 2021-05-27 19:16:26 UTC
In reply to comment #5:
> Hi @amctagga,
> 
> Could you please elaborate a bit on the CVSS Score difference. To be
> specific, why AV as Local and AC as Low. As I have different view on this.

hmm, if you agree with NIST, I'm happy to change it, it was a first pass attempt. I think a full denial of service should be AC=high and I put AV as local assuming one would need access to the system to send input, but I can see a scenario where network makes sense. What do you think makes sense here?

Comment 7 Tapas Jena 2021-06-02 03:42:55 UTC
Hi @amctagga,

Thanks for your response. From my point of view, Attack Complexity i.e. AC should be Low in this case, as all the user need to do is to input using exponential format with sufficiently large exponents and the NumberFilter` instance automatically converts them to a large integer. So, there is no complex exploit here. 

NOTE: Currently, only pulpcore component does use the affected NumberFilter functionality as confirmed by Ansible Engineering Team..

However, when it comes to Attack Vector, though the affected functionality can be accessed by authenticated users only, it doesn't have to be local.Hence, I found AV as Network.

Coming to Privilege Required parameter, as stated above as well, in order to access the affected functionality i.e. NumberFilter, the User must have valid Hub credential. It doesn't have to be high privilege. So, I found PR as Low i.e. PR=Low.

So, to conclude, its AC = L, AV = N and PR = L which makes the CVSS score to 6.5 .  Let me know, if you find this accurate Or having any 2nd thought on this.

Kind Regards,
Tapas J

Comment 8 Tapas Jena 2021-06-02 03:54:57 UTC
Red Hat's Justification for CVSS Difference

*PR (Privilege Required) : NVD -> N , RH - > L :  In order to access the affected functionality i.e. NumberFilter, the User must have valid Hub credential. It doesn't have to be high privilege. So, I found PR as Low i.e. PR=L.

Comment 9 Tapas Jena 2021-06-02 04:31:12 UTC
Red Hat's Justification for CVSS Difference

*PR : In order to access the affected functionality i.e. NumberFilter, the User must have valid Ansible Automation Hub credential. It doesn't have to be high privilege though. Hence, it feels adequate that Privilege Required should be Low i.e PR = L.

Comment 10 amctagga 2021-06-03 01:06:15 UTC
In reply to comment #7:
> Hi @amctagga,
> 
> Thanks for your response. From my point of view, Attack Complexity i.e. AC
> should be Low in this case, as all the user need to do is to input using
> exponential format with sufficiently large exponents and the NumberFilter`
> instance automatically converts them to a large integer. So, there is no
> complex exploit here. 
> 
> NOTE: Currently, only pulpcore component does use the affected NumberFilter
> functionality as confirmed by Ansible Engineering Team..
> 
> However, when it comes to Attack Vector, though the affected functionality
> can be accessed by authenticated users only, it doesn't have to be
> local.Hence, I found AV as Network.
> 
> Coming to Privilege Required parameter, as stated above as well, in order to
> access the affected functionality i.e. NumberFilter, the User must have
> valid Hub credential. It doesn't have to be high privilege. So, I found PR
> as Low i.e. PR=Low.
> 
> So, to conclude, its AC = L, AV = N and PR = L which makes the CVSS score to
> 6.5 .  Let me know, if you find this accurate Or having any 2nd thought on
> this.
> 
> Kind Regards,
> Tapas J
sounds good to me!


Note You need to log in before you can comment on or make changes to this bug.