{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2020-15225","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","dateUpdated":"2024-08-04T13:08:22.886Z","dateReserved":"2020-06-25T00:00:00.000Z","datePublished":"2021-04-29T00:00:00.000Z"},"containers":{"cna":{"title":"Denial of Service vulnerability in django-filter","providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2023-06-15T00:00:00.000Z"},"descriptions":[{"lang":"en","value":"django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter before version 2.4.0, automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. In addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade."}],"affected":[{"vendor":"carltongibson","product":"django-filter","versions":[{"version":"< 2.4.0","status":"affected"}]}],"references":[{"url":"https://github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973"},{"url":"https://github.com/carltongibson/django-filter/commit/340cf7a23a2b3dcd7183f6a0d6c383e85b130d2b"},{"url":"https://github.com/carltongibson/django-filter/releases/tag/2.4.0"},{"url":"https://pypi.org/project/django-filter/"},{"url":"https://security.netapp.com/advisory/ntap-20210604-0010/"},{"name":"FEDORA-2021-f213fea441","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPHENTRHRAYFXYPPBT7JRHZRWILRY44S/"},{"name":"FEDORA-2021-1acbee2459","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FAT2ZAEF6DM3VFSOHKB7X3ASSHGQHJAK/"},{"name":"FEDORA-2023-4dee6d0a76","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVJ7AYU6FUSU3F653YCGW5LFD3IULRSX/"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-681: Incorrect Conversion between Numeric Types","cweId":"CWE-681"}]}],"source":{"advisory":"GHSA-x7gm-rfgv-w973","discovery":"UNKNOWN"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T13:08:22.886Z"},"title":"CVE Program Container","references":[{"url":"https://github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973","tags":["x_transferred"]},{"url":"https://github.com/carltongibson/django-filter/commit/340cf7a23a2b3dcd7183f6a0d6c383e85b130d2b","tags":["x_transferred"]},{"url":"https://github.com/carltongibson/django-filter/releases/tag/2.4.0","tags":["x_transferred"]},{"url":"https://pypi.org/project/django-filter/","tags":["x_transferred"]},{"url":"https://security.netapp.com/advisory/ntap-20210604-0010/","tags":["x_transferred"]},{"name":"FEDORA-2021-f213fea441","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPHENTRHRAYFXYPPBT7JRHZRWILRY44S/"},{"name":"FEDORA-2021-1acbee2459","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FAT2ZAEF6DM3VFSOHKB7X3ASSHGQHJAK/"},{"name":"FEDORA-2023-4dee6d0a76","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVJ7AYU6FUSU3F653YCGW5LFD3IULRSX/"}]}]}}