{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-24680", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-01T23:28:11.095Z", "dateReserved": "2024-01-26T00:00:00", "datePublished": "2024-02-06T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-04-20T03:05:55.273636"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"url": "https://docs.djangoproject.com/en/5.0/releases/security/"}, {"url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases/"}, {"name": "FEDORA-2024-5c7fb64c74", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/"}, {"name": "FEDORA-2024-2ec03ca8cb", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/"}, {"name": "FEDORA-2024-84fbbbb914", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:11.095Z"}, "title": "CVE Program Container", "references": [{"url": "https://groups.google.com/forum/#%21forum/django-announce", "tags": ["x_transferred"]}, {"url": "https://docs.djangoproject.com/en/5.0/releases/security/", "tags": ["x_transferred"]}, {"url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases/", "tags": ["x_transferred"]}, {"name": "FEDORA-2024-5c7fb64c74", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/"}, {"name": "FEDORA-2024-2ec03ca8cb", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/"}, {"name": "FEDORA-2024-84fbbbb914", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "527AB2FB-6590-4F90-B749-451EA45741FB", "versionEndExcluding": "3.2.24", "versionStartIncluding": "3.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0C66920-1C09-4572-985B-8948D9DA1F11", "versionEndExcluding": "4.2.10", "versionStartIncluding": "4.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD053762-6CAA-4F50-BE69-39F466C9079A", "versionEndExcluding": "5.0.2", "versionStartIncluding": "5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Django 3.2 anterior a 3.2.24, 4.2 anterior a 4.2.10 y Django 5.0 anterior a 5.0.2. El filtro de plantilla intcomma estaba sujeto a un posible ataque de denegaci\u00f3n de servicio cuando se utilizaba con cadenas muy largas."}], "id": "CVE-2024-24680", "lastModified": "2024-11-21T08:59:29.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-06T22:16:15.470", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://docs.djangoproject.com/en/5.0/releases/security/"}, {"source": "cve@mitre.org", "tags": ["Permissions Required"], "url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://docs.djangoproject.com/en/5.0/releases/security/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1057", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "python3x-django-0:4.2.10-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2024-02-29T00:00:00Z"}, {"advisory": "RHSA-2024:1640", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "automation-controller-0:4.5.5-2.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2024-04-02T00:00:00Z"}, {"advisory": "RHSA-2024:1057", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "python-django-0:4.2.10-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2024-02-29T00:00:00Z"}, {"advisory": "RHSA-2024:1640", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "automation-controller-0:4.5.5-2.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2024-04-02T00:00:00Z"}, {"advisory": "RHSA-2024:2731", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "python-django-0:2.2.24-8.el9ost", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2024-05-22T00:00:00Z"}, {"advisory": "RHSA-2024:5662", "cpe": "cpe:/a:redhat:satellite:6.15::el8", "package": "python-django-0:4.2.14-1.el8pc", "product_name": "Red Hat Satellite 6.15 for RHEL 8", "release_date": "2024-08-20T00:00:00Z"}, {"advisory": "RHSA-2024:5662", "cpe": "cpe:/a:redhat:satellite_capsule:6.15::el8", "package": "python-django-0:4.2.14-1.el8pc", "product_name": "Red Hat Satellite 6.15 for RHEL 8", "release_date": "2024-08-20T00:00:00Z"}, {"advisory": "RHSA-2024:1878", "cpe": "cpe:/a:redhat:rhui:4::el8", "package": "python-django-0:4.2.11-1.el8ui", "product_name": "RHUI 4 for RHEL 8", "release_date": "2024-04-18T00:00:00Z"}], "bugzilla": {"description": "Django: denial-of-service in ``intcomma`` template filter", "id": "2261856", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2261856"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "details": ["An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.", "A vulnerability was found in Django. When used with very long strings, the intcomma template filter was subject to a potential denial of service attack."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-24680", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Out of support scope", "package_name": "ansible-tower", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:certifications:1::el7", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:certifications:1::el8", "fix_state": "Affected", "package_name": "redhat-certification", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:certifications:1::el9", "fix_state": "Affected", "package_name": "redhat-certification", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:discovery:1", "fix_state": "Not affected", "package_name": "discovery-server-container", "product_name": "Red Hat Discovery"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Out of support scope", "package_name": "python-django20", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Will not fix", "package_name": "python-django20", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Storage 3"}], "public_date": "2024-02-06T15:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-24680\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-24680\nhttps://github.com/advisories/GHSA-xxj9-f6rv-m3x4\nhttps://www.djangoproject.com/weblog/2024/feb/06/security-releases/"], "statement": "Redhat has rated this vulnerability as moderate severity because exploitation of this vulnerability is only theoretical in nature and can only result in a denial of service bug.", "threat_severity": "Moderate"}