Описание
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.
A resource-consumption flaw was found in django's UserAttributeSimilarityValidator, where it incurred significant overhead evaluating any submitted password that was artificially large relative to comparison values. A network attacker could exploit this flaw to cause a denial of service.
Отчет
In Red Hat OpenStack Platform, because the flaw's impact is lower and the impacted functionality is not directly used, no update will be provided at this time for the python-django20 package.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 1.2 | python-django | Affected | ||
| Red Hat Ansible Automation Platform 2 | python-django | Affected | ||
| Red Hat Ansible Tower 3 | django | Affected | ||
| Red Hat Ceph Storage 2 | calamari-server | Out of support scope | ||
| Red Hat Ceph Storage 2 | python-django | Out of support scope | ||
| Red Hat Ceph Storage 3 | python-django | Out of support scope | ||
| Red Hat OpenStack Platform 13 (Queens) | python-django | Out of support scope | ||
| Red Hat OpenStack Platform 16.1 | python-django20 | Will not fix | ||
| Red Hat OpenStack Platform 16.2 | python-django20 | Will not fix | ||
| Red Hat Satellite 6 | python3-django | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11 ...
Уязвимость компонента UserAttributeSimilarityValidator фреймворка для веб-разработки Django, позволяющая нарушителю выполнить отказ в обслуживании
EPSS
7.5 High
CVSS3