CVE-2024-41991 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitre	CNA	---				---
CISA-ADP	ADP	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 38%

Vendor	Product	Version
djangoproject	django	4.2 ≤ 𝑥 < 4.2.15
djangoproject	django	5.0 ≤ 𝑥 < 5.0.8

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python-django

bullseye	postponed
bookworm	no-dsa
bullseye (security)	vulnerable
bookworm (security)	vulnerable
trixie	3:4.2.21-1 fixed
sid	3:4.2.21-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

python-django

plucky	Fixed 3:4.2.15-1 released
oracular	Fixed 3:4.2.15-1 released
noble	Fixed 3:4.2.11-1ubuntu1.2 released
jammy	Fixed 2:3.2.12-2ubuntu1.13 released
focal	Fixed 2:2.2.12-1ubuntu0.24 released
bionic	Fixed 1:1.11.11-1ubuntu1.21+esm6 released
xenial	needs-triage
trusty	needs-triage

Common Weakness Enumeration

CWE-1284 - Improper Validation of Specified Quantity in Input
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
CWE-130 - Improper Handling of Length Parameter Inconsistency
The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

References

https://docs.djangoproject.com/en/dev/releases/security/

https://groups.google.com/forum/#%21forum/django-announce

https://www.djangoproject.com/weblog/2024/aug/06/security-releases/