CVE-2020-15225

EUVD-2021-0053
django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter before version 2.4.0, automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. In addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 46%
Affected Products (NVD)
VendorProductVersion
django-filter_projectdjango-filter
𝑥
< 2.4.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
django-filter
bookworm
23.1-1
fixed
bullseye
2.4.0-1
fixed
buster
no-dsa
sid
24.2-1
fixed
stretch
no-dsa
trixie
24.2-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
django-filter
bionic
needs-triage
focal
needs-triage
groovy
ignored
hirsute
ignored
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
dne
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/carltongibson/django-filter/commit/340cf7a23a2b3dcd7183f6a0d6c383e85b130d2b
https://github.com/carltongibson/django-filter/releases/tag/2.4.0
https://github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPHENTRHRAYFXYPPBT7JRHZRWILRY44S/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FAT2ZAEF6DM3VFSOHKB7X3ASSHGQHJAK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVJ7AYU6FUSU3F653YCGW5LFD3IULRSX/
https://pypi.org/project/django-filter/
https://security.netapp.com/advisory/ntap-20210604-0010/
https://github.com/carltongibson/django-filter/commit/340cf7a23a2b3dcd7183f6a0d6c383e85b130d2b
https://github.com/carltongibson/django-filter/releases/tag/2.4.0
https://github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPHENTRHRAYFXYPPBT7JRHZRWILRY44S/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FAT2ZAEF6DM3VFSOHKB7X3ASSHGQHJAK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVJ7AYU6FUSU3F653YCGW5LFD3IULRSX/
https://pypi.org/project/django-filter/
https://security.netapp.com/advisory/ntap-20210604-0010/