Bug 1194117 – VUL-0: CVE-2021-45116: python-Django,python-Django1: Potential information disclosure in dictsort template filter

Bug 1194117 - (CVE-2021-45116) VUL-0: CVE-2021-45116: python-Django,python-Django1: Potential information disclosure in dictsort template filter

(CVE-2021-45116)
Summary:	VUL-0: CVE-2021-45116: python-Django,python-Django1: Potential information di...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/319218/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-45116:7.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-12-28 14:35 UTC by Carlos López
Modified:	2022-06-10 08:47 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Upstream patch 2.2 (8.24 KB, patch) 2021-12-28 15:35 UTC, Carlos López	Details \| Diff
Upstream patch 3.2 (9.38 KB, patch) 2021-12-28 15:35 UTC, Carlos López	Details \| Diff
Upstream patch 4.0 (10.54 KB, patch) 2021-12-28 15:35 UTC, Carlos López	Details \| Diff
Upstream patch main branch (10.44 KB, patch) 2021-12-28 15:36 UTC, Carlos López	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2021-12-28 14:35:12 UTC

CVE-2021-45115: Denial-of-service possibility in ``UserAttributeSimilarityValidator``
=====================================================================================

:class:`.UserAttributeSimilarityValidator` incurred significant overhead
evaluating submitted password that were artificially large in relative to the
comparison values. On the assumption that access to user registration was
unrestricted this provided a potential vector for a denial-of-service attack.

In order to mitigate this issue, relatively long values are now ignored by
``UserAttributeSimilarityValidator``.

Affected versions
=================

* Django main development branch
* Django 4.0
* Django 3.2
* Django 2.2

Resolution
==========

Included with this email are patches implementing the changes described above
for each affected version of Django. On the release date, these patches will be
applied to the Django development repository and the following releases will be
issued along with disclosure of the issues:

* Django 4.0.1
* Django 3.2.11
* Django 2.2.26

Comment 3 Carlos López 2021-12-28 15:00:03 UTC

The title in the first comment is wrong, my apologies. It should say:
CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter

Comment 4 Carlos López 2021-12-28 15:35:08 UTC

Created attachment 854850 [details]
Upstream patch 2.2

Comment 5 Carlos López 2021-12-28 15:35:33 UTC

Created attachment 854851 [details]
Upstream patch 3.2

Comment 6 Carlos López 2021-12-28 15:35:52 UTC

Created attachment 854852 [details]
Upstream patch 4.0

Comment 7 Carlos López 2021-12-28 15:36:44 UTC

Created attachment 854853 [details]
Upstream patch main branch

Comment 8 Carlos López 2021-12-28 16:47:57 UTC

The correct bug description is the following:
Due to leveraging the Django Template Language's variable resolution logic, the
:tfilter:`dictsort` template filter was potentially vulnerable to information
disclosure or unintended method calls, if passed a suitably crafted key.

In order to avoid this possibility, ``dictsort`` now works with a restricted
resolution logic, that will not call methods, nor allow indexing on
dictionaries.


Affected codestreams:
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update / python-Django
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update / python-Django1

Also affected on openSUSE:
 - openSUSE:Leap:15.2 / python-Django (EOL by the time of the CRD)
 - openSUSE:Backports:SLE-15-SP2 / python-Django (EOL by the time of the CRD)
 - openSUSE:Backports:SLE-15-SP3 / python-Django
 - openSUSE:Backports:SLE-15-SP4 / python-Django
 - openSUSE:Factory / python-Django
 - openSUSE:Leap:15.2 / python-Django1 (EOL by the time of the CRD)
 - openSUSE:Backports:SLE-15-SP2 / python-Django1 (EOL by the time of the CRD)
 - openSUSE:Backports:SLE-15-SP3 / python-Django1
 - openSUSE:Backports:SLE-15-SP4 / python-Django1

Comment 10 Jeremy Moffitt 2022-01-06 21:51:11 UTC

Fergal will look into this for the Cloud repos
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update / python-Django
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update / python-Django1

Comment 11 Alberto Planas Dominguez 2022-01-10 09:57:57 UTC

4.0.1 is already in dlpd and in its way to factory

Comment 12 Fergal Mc Carthy 2022-01-10 13:49:25 UTC

SUSE:SLE-12-SP3:Update:Products:Cloud8:Update / python-Django:
  * https://build.suse.de/request/show/261771

SUSE:SLE-12-SP4:Update:Products:Cloud9:Update / python-Django1
  * https://build.suse.de/request/show/261772

Comment 14 Swamp Workflow Management 2022-01-18 14:19:06 UTC

SUSE-SU-2022:0102-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194115,1194116,1194117
CVE References: CVE-2021-45115,CVE-2021-45116,CVE-2021-45452
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python-Django-1.11.29-3.33.1
SUSE OpenStack Cloud 8 (src):    python-Django-1.11.29-3.33.1
HPE Helion Openstack 8 (src):    python-Django-1.11.29-3.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2022-01-18 14:37:13 UTC

SUSE-SU-2022:0103-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194115,1194116,1194117
CVE References: CVE-2021-45115,CVE-2021-45116,CVE-2021-45452
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python-Django1-1.11.29-3.30.1
SUSE OpenStack Cloud 9 (src):    python-Django1-1.11.29-3.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Christian Almeida de Oliveira 2022-01-19 11:36:53 UTC

SOC updates released, back to security team.

Comment 17 Carlos López 2022-06-10 08:47:59 UTC

Done, closing.