1219683 – (CVE-2024-24680) VUL-0: CVE-2024-24680: python-Django,python-Django1: denial-of-service in intcomma template filter

Bug 1219683 (CVE-2024-24680) - VUL-0: CVE-2024-24680: python-Django,python-Django1: denial-of-service in intcomma template filter

Summary: VUL-0: CVE-2024-24680: python-Django,python-Django1: denial-of-service in int...

Status:	RESOLVED FIXED

Alias:	CVE-2024-24680

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Alberto Planas Dominguez
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/393243/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-24680:7.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-02-07 16:50 UTC by SMASH SMASH
Modified:	2024-05-17 09:20 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-02-07 16:50:34 UTC

An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24680
https://seclists.org/oss-sec/2024/q1/111
https://docs.djangoproject.com/en/5.0/releases/security/
https://www.djangoproject.com/weblog/2024/feb/06/security-releases/
https://groups.google.com/forum/#%21forum/django-announce
https://www.cve.org/CVERecord?id=CVE-2024-24680

Patch:
main -
https://github.com/django/django/commit/55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9

5.0 - https://github.com/django/django/commit/16a8fe18a3b81250f4fa57e3f93f0599dc4895bc

4.2 - https://github.com/django/django/commit/572ea07e84b38ea8de0551f4b4eda685d91d09d2

3.2 - https://github.com/django/django/commit/c1171ffbd570db90ca206c30f8e2b9f691243820

Comment 2 OBSbugzilla Bot 2024-02-09 12:15:04 UTC

This is an autogenerated message for OBS integration:
This bug (1219683) was mentioned in
https://build.opensuse.org/request/show/1145400 Factory / python-Django

Comment 10 OBSbugzilla Bot 2024-03-12 11:35:06 UTC

This is an autogenerated message for OBS integration:
This bug (1219683) was mentioned in
https://build.opensuse.org/request/show/1156259 Backports:SLE-15-SP6 / python-Django

Comment 11 Maintenance Automation 2024-03-13 16:30:07 UTC

SUSE-SU-2024:0875-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1219683, 1220358
CVE References: CVE-2024-24680, CVE-2024-27351
Sources used:
HPE Helion OpenStack 8 (src): python-Django-1.11.29-3.59.3, venv-openstack-horizon-hpe-12.0.5~dev6-14.54.4
SUSE OpenStack Cloud 8 (src): venv-openstack-horizon-12.0.5~dev6-14.54.5, python-Django-1.11.29-3.59.3
SUSE OpenStack Cloud Crowbar 8 (src): python-Django-1.11.29-3.59.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Maintenance Automation 2024-03-13 16:30:10 UTC

SUSE-SU-2024:0874-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1219683, 1220358
CVE References: CVE-2024-24680, CVE-2024-27351
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src): python-Django1-1.11.29-3.58.3
SUSE OpenStack Cloud 9 (src): venv-openstack-horizon-14.1.1~dev11-4.51.4, python-Django1-1.11.29-3.58.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Andrea Mattiazzo 2024-05-16 15:19:59 UTC

I think all is done, closing.