Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg3Z20tcmZndi13OTcz
Potential DoS with NumberFilter conversion to integer values.
Impact
Automatically generated NumberFilter
instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents.
Patches
Version 2.4.0+ applies a MaxValueValidator
with a a default limit_value
of 1e50 to the form field used by NumberFilter
instances.
In addition, NumberFilter
implements the new get_max_validator()
which should return a configured validator instance to customise the limit, or else None
to disable the additional validation.
Workarounds
Users may manually apply an equivalent validator if they are not able to upgrade.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the django-filter repo
Thanks to Marcin Waraksa for the report.
Permalink: https://github.com/advisories/GHSA-x7gm-rfgv-w973JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg3Z20tcmZndi13OTcz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: 11 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-x7gm-rfgv-w973, CVE-2020-15225
References:
- https://github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973
- https://github.com/carltongibson/django-filter/commit/340cf7a23a2b3dcd7183f6a0d6c383e85b130d2b
- https://github.com/carltongibson/django-filter/releases/tag/2.4.0
- https://pypi.org/project/django-filter/
- https://nvd.nist.gov/vuln/detail/CVE-2020-15225
- https://security.netapp.com/advisory/ntap-20210604-0010/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/DPHENTRHRAYFXYPPBT7JRHZRWILRY44S/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/FAT2ZAEF6DM3VFSOHKB7X3ASSHGQHJAK/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/SVJ7AYU6FUSU3F653YCGW5LFD3IULRSX/
- https://github.com/advisories/GHSA-x7gm-rfgv-w973
Blast Radius: 34.6
Affected Packages
pypi:django-filter
Dependent packages: 238Dependent repositories: 40,492
Downloads: 4,928,031 last month
Affected Version Ranges: < 2.4.0
Fixed in: 2.4.0
All affected versions: 0.1.0, 0.2.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 2.0.0, 2.1.0, 2.2.0, 2.3.0
All unaffected versions: 2.4.0