Search for vulnerabilities
Vulnerability details: VCID-jaz4-2j4u-aaas
Vulnerability ID VCID-jaz4-2j4u-aaas
Aliases BIT-django-2024-41991
CVE-2024-41991
GHSA-r836-hh6v-rg5g
PYSEC-2024-69
Summary An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
Status Published
Exploitability 0.5
Weighted Severity 7.0
Risk 3.5
Affected and Fixed Packages Package Details
Weaknesses (6)
CWE-1333 Inefficient Regular Expression Complexity
CWE-400 Uncontrolled Resource Consumption
CWE-1284 Improper Validation of Specified Quantity in Input
CWE-130 Improper Handling of Length Parameter Inconsistency
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41991.json
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00158 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00158 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00158 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00158 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00158 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00158 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00158 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00158 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.0016 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00167 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00167 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00167 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00167 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00167 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00167 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00167 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00167 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00167 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00415 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00415 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00415 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00415 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00415 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00415 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00415 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00415 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00415 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00415 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00415 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00415 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00418 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00545 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00545 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
epss 0.00545 https://api.first.org/data/v1/epss?cve=CVE-2024-41991
cvssv3.1 3.7 https://docs.djangoproject.com/en/dev/releases/security
generic_textual MODERATE https://docs.djangoproject.com/en/dev/releases/security
generic_textual Medium https://docs.djangoproject.com/en/dev/releases/security/
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-r836-hh6v-rg5g
cvssv3.1 3.7 https://github.com/django/django
generic_textual MODERATE https://github.com/django/django
cvssv3.1 5.3 https://github.com/django/django/commit/523da8771bce321023f490f70d71a9e973ddc927
generic_textual MODERATE https://github.com/django/django/commit/523da8771bce321023f490f70d71a9e973ddc927
cvssv3.1 5.3 https://github.com/django/django/commit/efea1ef7e2190e3f77ca0651b5458297bc0f6a9f
generic_textual MODERATE https://github.com/django/django/commit/efea1ef7e2190e3f77ca0651b5458297bc0f6a9f
cvssv3.1 5.3 https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-69.yaml
generic_textual MODERATE https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-69.yaml
cvssv3.1 3.7 https://groups.google.com/forum/#%21forum/django-announce
generic_textual MODERATE https://groups.google.com/forum/#%21forum/django-announce
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2024-41991
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2024-41991
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2024-41991
cvssv3.1 9.1 https://www.djangoproject.com/weblog/2024/aug/06/security-releases
generic_textual CRITICAL https://www.djangoproject.com/weblog/2024/aug/06/security-releases
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41991.json
https://api.first.org/data/v1/epss?cve=CVE-2024-41991
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41991
https://docs.djangoproject.com/en/dev/releases/security
https://docs.djangoproject.com/en/dev/releases/security/
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/django/django
https://github.com/django/django/commit/523da8771bce321023f490f70d71a9e973ddc927
https://github.com/django/django/commit/efea1ef7e2190e3f77ca0651b5458297bc0f6a9f
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-69.yaml
https://groups.google.com/forum/#%21forum/django-announce
https://nvd.nist.gov/vuln/detail/CVE-2024-41991
https://www.djangoproject.com/weblog/2024/aug/06/security-releases
https://www.djangoproject.com/weblog/2024/aug/06/security-releases/
1078074 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078074
2302435 https://bugzilla.redhat.com/show_bug.cgi?id=2302435
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
GHSA-r836-hh6v-rg5g https://github.com/advisories/GHSA-r836-hh6v-rg5g
RHSA-2024:7987 https://access.redhat.com/errata/RHSA-2024:7987
RHSA-2025:1249 https://access.redhat.com/errata/RHSA-2025:1249
RHSA-2025:1335 https://access.redhat.com/errata/RHSA-2025:1335
USN-6946-1 https://usn.ubuntu.com/6946-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41991.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://docs.djangoproject.com/en/dev/releases/security
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/django/django
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/django/django/commit/523da8771bce321023f490f70d71a9e973ddc927
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/django/django/commit/efea1ef7e2190e3f77ca0651b5458297bc0f6a9f
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-69.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://groups.google.com/forum/#%21forum/django-announce
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2024-41991
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-41991
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://www.djangoproject.com/weblog/2024/aug/06/security-releases
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.22280
EPSS Score 0.00053
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
2024-07-31T12:46:41.792461+00:00 SUSE Severity Score Importer Import https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml 34.0.0rc4