Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13ajg1LXc0ZjQteGg4aM4AA6Gp
Denial of service via regular expression
Impact
All historical installations of django-wiki are vulnerable to maliciously crafted article content, that can cause severe use of server CPU through a regular expression loop.
Patches
Workarounds
Close off access to create and edit articles by anonymous users.
References
Are there any links users can visit to find out more?
Permalink: https://github.com/advisories/GHSA-wj85-w4f4-xh8hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13ajg1LXc0ZjQteGg4aM4AA6Gp
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 month ago
Updated: about 1 month ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-wj85-w4f4-xh8h, CVE-2024-28865
References:
- https://github.com/django-wiki/django-wiki/security/advisories/GHSA-wj85-w4f4-xh8h
- https://github.com/django-wiki/django-wiki/commit/8e280fd6c0bd27ce847c67b2d216c6cbf920f88c
- https://nvd.nist.gov/vuln/detail/CVE-2024-28865
- https://github.com/advisories/GHSA-wj85-w4f4-xh8h
Blast Radius: 15.0
Affected Packages
pypi:wiki
Dependent packages: 0Dependent repositories: 101
Downloads: 9,076 last month
Affected Version Ranges: < 0.10.1
Fixed in: 0.10.1
All affected versions: 0.0.20, 0.0.21, 0.0.22, 0.0.23, 0.0.24, 0.1.1, 0.1.2, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.3.1, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.7.9, 0.7.10, 0.8.1, 0.8.2
All unaffected versions: 0.10.1, 0.11.1