Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg3Z20tcmZndi13OTcz

Potential DoS with NumberFilter conversion to integer values.

Impact

Automatically generated NumberFilter instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents.

Patches

Version 2.4.0+ applies a MaxValueValidator with a a default limit_value of 1e50 to the form field used by NumberFilter instances.

In addition, NumberFilter implements the new get_max_validator() which should return a configured validator instance to customise the limit, or else None to disable the additional validation.

Workarounds

Users may manually apply an equivalent validator if they are not able to upgrade.

For more information

If you have any questions or comments about this advisory:

Thanks to Marcin Waraksa for the report.

Permalink: https://github.com/advisories/GHSA-x7gm-rfgv-w973
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg3Z20tcmZndi13OTcz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: 11 months ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-x7gm-rfgv-w973, CVE-2020-15225
References: Repository: https://github.com/carltongibson/django-filter
Blast Radius: 34.6

Affected Packages

pypi:django-filter
Dependent packages: 238
Dependent repositories: 40,492
Downloads: 4,928,031 last month
Affected Version Ranges: < 2.4.0
Fixed in: 2.4.0
All affected versions: 0.1.0, 0.2.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 2.0.0, 2.1.0, 2.2.0, 2.3.0
All unaffected versions: 2.4.0