CVE-2011-4137

19.10.2011, 10:55

The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Vector
NIST	NIST	5 UNKNOWN	NETWORK	LOW	AV:N/AC:L/Au:N/C:N/I:N/A:P
mitre	CNA	---			---
CVE	ADP	---			---

Base Score

CVSS 3.x

EPSS Score

Percentile: 81%

Vendor	Product	Version
djangoproject	django	𝑥 ≤ 1.2.6
djangoproject	django	0.91
djangoproject	django	0.95
djangoproject	django	0.95.1
djangoproject	django	0.96
djangoproject	django	1.0
djangoproject	django	1.0.1
djangoproject	django	1.0.2
djangoproject	django	1.1
djangoproject	django	1.1.0
djangoproject	django	1.1.2
djangoproject	django	1.1.3
djangoproject	django	1.2
djangoproject	django	1.2.1
djangoproject	django	1.2.1:2
djangoproject	django	1.2.2
djangoproject	django	1.2.3
djangoproject	django	1.2.4
djangoproject	django	1.2.5
djangoproject	django	1.3
djangoproject	django	1.3:alpha1
djangoproject	django	1.3:alpha2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python-django

bullseye (security)	2:2.2.28-1~deb11u2 fixed
bullseye	2:2.2.28-1~deb11u2 fixed
bookworm	3:3.2.19-1+deb12u1 fixed
bookworm (security)	3:3.2.19-1+deb12u1 fixed
sid	3:4.2.16-1 fixed
trixie	3:4.2.16-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

python-django

oneiric	Fixed 1.3-2ubuntu1.1 released
natty	Fixed 1.2.5-1ubuntu1.1 released
maverick	Fixed 1.2.3-1ubuntu0.2.10.10.3 released
lucid	Fixed 1.1.1-2ubuntu1.4 released
hardy	ignored