{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-02-11T02:06:36", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"tags": ["x_refsource_MISC"], "url": "https://docs.djangoproject.com/en/4.0/releases/security/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"}, {"name": "FEDORA-2022-e7fd530688", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-45115", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://groups.google.com/forum/#!forum/django-announce", "refsource": "MISC", "url": "https://groups.google.com/forum/#!forum/django-announce"}, {"name": "https://docs.djangoproject.com/en/4.0/releases/security/", "refsource": "MISC", "url": "https://docs.djangoproject.com/en/4.0/releases/security/"}, {"name": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/", "refsource": "CONFIRM", "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"}, {"name": "https://security.netapp.com/advisory/ntap-20220121-0005/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"}, {"name": "FEDORA-2022-e7fd530688", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:39:20.303Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.djangoproject.com/en/4.0/releases/security/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"}, {"name": "FEDORA-2022-e7fd530688", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-45115", "datePublished": "2022-01-04T23:16:00", "dateReserved": "2021-12-16T00:00:00", "dateUpdated": "2024-08-04T04:39:20.303Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "E20BDA6F-5744-4B52-B995-529E3A14EF69", "versionEndExcluding": "2.2.26", "versionStartIncluding": "2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E0CB9E7-6BFE-4732-872F-1DE2BFCA9223", "versionEndExcluding": "3.2.11", "versionStartIncluding": "3.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "BAF6F5EA-00FA-4871-A06F-0F6F7DF1D06D", "versionEndExcluding": "4.0.1", "versionStartIncluding": "4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack."}, {"lang": "es", "value": "Se ha detectado un problema en Django versiones 2.2 anteriores a 2.2.26, 3.2 anteriores a 3.2.11 y 4.0 anteriores a 4.0.1. UserAttributeSimilarityValidator incurr\u00eda en una sobrecarga significativa al evaluar una contrase\u00f1a enviada que era artificialmente grande en relaci\u00f3n con los valores de comparaci\u00f3n. En una situaci\u00f3n en la que el acceso al registro de usuarios no estaba restringido, esto proporcionaba un vector potencial para un ataque de denegaci\u00f3n de servicio."}], "id": "CVE-2021-45115", "lastModified": "2023-11-07T03:39:49.040", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-05T00:15:07.907", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://docs.djangoproject.com/en/4.0/releases/security/"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:5498", "cpe": "cpe:/a:redhat:satellite:6.11::el8", "package": "python-django-0:3.2.13-1.el8pc", "product_name": "Red Hat Satellite 6.11 for RHEL 8", "release_date": "2022-07-05T00:00:00Z"}, {"advisory": "RHSA-2022:5498", "cpe": "cpe:/a:redhat:satellite_capsule:6.11::el8", "package": "python-django-0:3.2.13-1.el8pc", "product_name": "Red Hat Satellite 6.11 for RHEL 8", "release_date": "2022-07-05T00:00:00Z"}], "bugzilla": {"description": "django: Denial-of-service possibility in UserAttributeSimilarityValidator", "id": "2037024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2037024"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.", "A resource-consumption flaw was found in django's UserAttributeSimilarityValidator, where it incurred significant overhead evaluating any submitted password that was artificially large relative to comparison values. A network attacker could exploit this flaw to cause a denial of service."], "name": "CVE-2021-45115", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Affected", "package_name": "django", "product_name": "Red Hat Ansible Tower 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "calamari-server", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Will not fix", "package_name": "python-django20", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Will not fix", "package_name": "python-django20", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "python3-django", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "python-django", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:rhui:3", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat Update Infrastructure 3 for Cloud Providers"}, {"cpe": "cpe:/a:redhat:rhui:4::el8", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Update Infrastructure 4 for Cloud Providers"}], "public_date": "2022-01-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-45115\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-45115\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases/"], "statement": "In Red Hat OpenStack Platform, because the flaw's impact is lower and the impacted functionality is not directly used, no update will be provided at this time for the python-django20 package.", "threat_severity": "Moderate", "upstream_fix": "Django 4.0.1, Django 3.2.11, Django 2.2.26"}