CVE-2024-28865 - Vulnerability Details - OpenCVE

django-wiki is a wiki system for Django. Installations of django-wiki prior to version 0.10.1 are vulnerable to maliciously crafted article content that can cause severe use of server CPU through a regular expression loop. Version 0.10.1 fixes this issue. As a workaround, close off access to create and edit articles by anonymous users.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00079.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-1025	django-wiki is a wiki system for Django. Installations of django-wiki prior to version 0.10.1 are vulnerable to maliciously crafted article content that can cause severe use of server CPU through a regular expression loop. Version 0.10.1 fixes this issue. As a workaround, close off access to create and edit articles by anonymous users.
Github GHSA	GHSA-wj85-w4f4-xh8h	Denial of service via regular expression

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/django-wiki/django-wiki/commit/8e280fd6c0bd27ce847c67b2d216c6cbf920f88c
https://github.com/django-wiki/django-wiki/security/advisories/GHSA-wj85-w4f4-xh8h

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-18T21:53:59.877Z

Updated: 2024-08-21T14:59:23.794Z

Reserved: 2024-03-11T22:45:07.687Z

Link: CVE-2024-28865

Vulnrichment

Updated: 2024-08-02T00:56:58.079Z

NVD

Status : Awaiting Analysis

Published: 2024-03-18T22:15:09.510

Modified: 2024-11-21T09:07:04.317

Link: CVE-2024-28865

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-1333

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28865", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-11T22:45:07.687Z", "datePublished": "2024-03-18T21:53:59.877Z", "dateUpdated": "2024-08-21T14:59:23.794Z"}, "containers": {"cna": {"title": "django-wiki denial of service via regular expression", "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/django-wiki/django-wiki/security/advisories/GHSA-wj85-w4f4-xh8h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/django-wiki/django-wiki/security/advisories/GHSA-wj85-w4f4-xh8h"}, {"name": "https://github.com/django-wiki/django-wiki/commit/8e280fd6c0bd27ce847c67b2d216c6cbf920f88c", "tags": ["x_refsource_MISC"], "url": "https://github.com/django-wiki/django-wiki/commit/8e280fd6c0bd27ce847c67b2d216c6cbf920f88c"}], "affected": [{"vendor": "django-wiki", "product": "django-wiki", "versions": [{"version": "< 0.10.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-18T21:53:59.877Z"}, "descriptions": [{"lang": "en", "value": "django-wiki is a wiki system for Django. Installations of django-wiki prior to version 0.10.1 are vulnerable to maliciously crafted article content that can cause severe use of server CPU through a regular expression loop. Version 0.10.1 fixes this issue. As a workaround, close off access to create and edit articles by anonymous users."}], "source": {"advisory": "GHSA-wj85-w4f4-xh8h", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:56:58.079Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/django-wiki/django-wiki/security/advisories/GHSA-wj85-w4f4-xh8h", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/django-wiki/django-wiki/security/advisories/GHSA-wj85-w4f4-xh8h"}, {"name": "https://github.com/django-wiki/django-wiki/commit/8e280fd6c0bd27ce847c67b2d216c6cbf920f88c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/django-wiki/django-wiki/commit/8e280fd6c0bd27ce847c67b2d216c6cbf920f88c"}]}, {"affected": [{"vendor": "django-wiki_project", "product": "django-wiki", "cpes": ["cpe:2.3:a:django-wiki_project:django-wiki:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.10.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-21T14:58:16.161708Z", "id": "CVE-2024-28865", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-21T14:59:23.794Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/django-wiki/django-wiki/security/advisories/GHSA-wj85-w4f4-xh8h", "name": "https://github.com/django-wiki/django-wiki/security/advisories/GHSA-wj85-w4f4-xh8h", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/django-wiki/django-wiki/commit/8e280fd6c0bd27ce847c67b2d216c6cbf920f88c", "name": "https://github.com/django-wiki/django-wiki/commit/8e280fd6c0bd27ce847c67b2d216c6cbf920f88c", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:56:58.079Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-21T14:58:16.161708Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:django-wiki_project:django-wiki:*:*:*:*:*:*:*:*"], "vendor": "django-wiki_project", "product": "django-wiki", "versions": [{"status": "affected", "version": "0", "lessThan": "0.10.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-21T14:59:13.975Z"}}], "cna": {"title": "django-wiki denial of service via regular expression", "source": {"advisory": "GHSA-wj85-w4f4-xh8h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "django-wiki", "product": "django-wiki", "versions": [{"status": "affected", "version": "< 0.10.1"}]}], "references": [{"url": "https://github.com/django-wiki/django-wiki/security/advisories/GHSA-wj85-w4f4-xh8h", "name": "https://github.com/django-wiki/django-wiki/security/advisories/GHSA-wj85-w4f4-xh8h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/django-wiki/django-wiki/commit/8e280fd6c0bd27ce847c67b2d216c6cbf920f88c", "name": "https://github.com/django-wiki/django-wiki/commit/8e280fd6c0bd27ce847c67b2d216c6cbf920f88c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "django-wiki is a wiki system for Django. Installations of django-wiki prior to version 0.10.1 are vulnerable to maliciously crafted article content that can cause severe use of server CPU through a regular expression loop. Version 0.10.1 fixes this issue. As a workaround, close off access to create and edit articles by anonymous users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333: Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-18T21:53:59.877Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28865", "state": "PUBLISHED", "dateUpdated": "2024-08-21T14:59:23.794Z", "dateReserved": "2024-03-11T22:45:07.687Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-18T21:53:59.877Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "django-wiki is a wiki system for Django. Installations of django-wiki prior to version 0.10.1 are vulnerable to maliciously crafted article content that can cause severe use of server CPU through a regular expression loop. Version 0.10.1 fixes this issue. As a workaround, close off access to create and edit articles by anonymous users."}, {"lang": "es", "value": "django-wiki es un sistema wiki para Django. Las instalaciones de django-wiki anteriores a la versi\u00f3n 0.10.1 son vulnerables al contenido de art\u00edculos creados con fines malintencionados que pueden causar un uso severo de la CPU del servidor a trav\u00e9s de un bucle de expresi\u00f3n regular. La versi\u00f3n 0.10.1 soluciona este problema. Como workaround, cierre el acceso para crear y editar art\u00edculos a usuarios an\u00f3nimos."}], "id": "CVE-2024-28865", "lastModified": "2024-11-21T09:07:04.317", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-18T22:15:09.510", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/django-wiki/django-wiki/commit/8e280fd6c0bd27ce847c67b2d216c6cbf920f88c"}, {"source": "security-advisories@github.com", "url": "https://github.com/django-wiki/django-wiki/security/advisories/GHSA-wj85-w4f4-xh8h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/django-wiki/django-wiki/commit/8e280fd6c0bd27ce847c67b2d216c6cbf920f88c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/django-wiki/django-wiki/security/advisories/GHSA-wj85-w4f4-xh8h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Secondary"}]}