Search for vulnerabilities
Vulnerability details: VCID-6vf7-qted-aaae
Vulnerability ID VCID-6vf7-qted-aaae
Aliases BIT-django-2024-38875
CVE-2024-38875
GHSA-qg2p-9jwr-mmqf
PYSEC-2024-56
Summary An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-130 Improper Handling of Length Parameter Inconsistency
CWE-1287 Improper Validation of Specified Type of Input
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38875.json
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.0007 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.0007 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.0007 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00082 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00082 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00082 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00167 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00167 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00167 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00167 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00167 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00167 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00167 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00196 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00199 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00199 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00199 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00199 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00199 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00199 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00199 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00199 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00199 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00199 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00199 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00281 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00281 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00281 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00408 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00408 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
epss 0.03635 https://api.first.org/data/v1/epss?cve=CVE-2024-38875
cvssv3.1 3.7 https://docs.djangoproject.com/en/dev/releases/security
generic_textual MODERATE https://docs.djangoproject.com/en/dev/releases/security
generic_textual Medium https://docs.djangoproject.com/en/dev/releases/security/
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-qg2p-9jwr-mmqf
cvssv3.1 3.7 https://github.com/django/django
generic_textual MODERATE https://github.com/django/django
cvssv3.1 7.5 https://github.com/django/django/commit/7285644640f085f41d60ab0c8ae4e9153f0485db
generic_textual HIGH https://github.com/django/django/commit/7285644640f085f41d60ab0c8ae4e9153f0485db
cvssv3.1 7.5 https://github.com/django/django/commit/79f368764295df109a37192f6182fb6f361d85b5
generic_textual HIGH https://github.com/django/django/commit/79f368764295df109a37192f6182fb6f361d85b5
cvssv3.1 7.5 https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-56.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-56.yaml
cvssv3.1 3.7 https://groups.google.com/forum/#%21forum/django-announce
generic_textual MODERATE https://groups.google.com/forum/#%21forum/django-announce
cvssv3.1 7.5 https://www.djangoproject.com/weblog/2024/jul/09/security-releases
generic_textual HIGH https://www.djangoproject.com/weblog/2024/jul/09/security-releases
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38875.json
https://api.first.org/data/v1/epss?cve=CVE-2024-38875
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38875
https://docs.djangoproject.com/en/dev/releases/security
https://docs.djangoproject.com/en/dev/releases/security/
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/django/django
https://github.com/django/django/commit/7285644640f085f41d60ab0c8ae4e9153f0485db
https://github.com/django/django/commit/79f368764295df109a37192f6182fb6f361d85b5
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-56.yaml
https://groups.google.com/forum/#%21forum/django-announce
https://www.djangoproject.com/weblog/2024/jul/09/security-releases
https://www.djangoproject.com/weblog/2024/jul/09/security-releases/
1076069 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076069
2295935 https://bugzilla.redhat.com/show_bug.cgi?id=2295935
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
CVE-2024-38875 https://nvd.nist.gov/vuln/detail/CVE-2024-38875
GHSA-qg2p-9jwr-mmqf https://github.com/advisories/GHSA-qg2p-9jwr-mmqf
RHSA-2024:8906 https://access.redhat.com/errata/RHSA-2024:8906
RHSA-2024:9481 https://access.redhat.com/errata/RHSA-2024:9481
USN-6888-1 https://usn.ubuntu.com/6888-1/
USN-6888-2 https://usn.ubuntu.com/6888-2/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38875.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://docs.djangoproject.com/en/dev/releases/security
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/django/django
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/django/django/commit/7285644640f085f41d60ab0c8ae4e9153f0485db
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/django/django/commit/79f368764295df109a37192f6182fb6f361d85b5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-56.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://groups.google.com/forum/#%21forum/django-announce
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://www.djangoproject.com/weblog/2024/jul/09/security-releases
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.16666
EPSS Score 0.00045
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
2024-07-09T23:19:42.888229+00:00 SUSE Severity Score Importer Import https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml 34.0.0rc4