{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-45230", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-03-17T14:12:05.808Z", "dateReserved": "2024-08-24T00:00:00.000Z", "datePublished": "2024-10-08T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-10-08T15:05:33.553Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"url": "https://www.djangoproject.com/weblog/2024/sep/03/security-releases/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-120", "lang": "en", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "affected": [{"vendor": "djangoproject", "product": "django", "cpes": ["cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "5.1", "status": "affected", "lessThan": "5.1.1", "versionType": "custom"}, {"version": "5.0", "status": "affected", "lessThan": "5.0.9", "versionType": "custom"}, {"version": "4.2", "status": "affected", "lessThan": "4.2.16", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-30T16:30:05.616132Z", "id": "CVE-2024-45230", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-17T14:12:05.808Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-45230", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-30T16:30:05.616132Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"], "vendor": "djangoproject", "product": "django", "versions": [{"status": "affected", "version": "5.1", "lessThan": "5.1.1", "versionType": "custom"}, {"status": "affected", "version": "5.0", "lessThan": "5.0.9", "versionType": "custom"}, {"status": "affected", "version": "4.2", "lessThan": "4.2.16", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-08T18:34:21.663Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"url": "https://www.djangoproject.com/weblog/2024/sep/03/security-releases/"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-10-08T15:05:33.553Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45230", "state": "PUBLISHED", "dateUpdated": "2025-03-17T14:12:05.808Z", "dateReserved": "2024-08-24T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-10-08T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "1F4E9063-064F-4C6E-9985-7A049D38D299", "versionEndExcluding": "4.2.16", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "1B3803EA-9D53-4E0B-A8E2-CB90D9677E75", "versionEndExcluding": "5.0.9", "versionStartIncluding": "5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:5.1:*:*:*:*:*:*:*", "matchCriteriaId": "6A1AE023-D9C3-4D36-B17F-7F6F24E59EF2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Django 5.1 anterior a 5.1.1, 5.0 anterior a 5.0.9 y 4.2 anterior a 4.2.16. Los filtros de plantilla urlize() y urlizetrunc() est\u00e1n sujetos a un posible ataque de denegaci\u00f3n de servicio mediante entradas muy grandes con una secuencia espec\u00edfica de caracteres."}], "id": "CVE-2024-45230", "lastModified": "2025-03-17T15:15:41.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-10-08T16:15:11.903", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"source": "cve@mitre.org", "tags": ["Permissions Required"], "url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2024/sep/03/security-releases/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-120"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:8534", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package": "automation-controller-0:4.6.2-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date": "2024-10-28T00:00:00Z"}, {"advisory": "RHSA-2024:8534", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package": "automation-controller-0:4.6.2-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date": "2024-10-28T00:00:00Z"}], "bugzilla": {"description": "python-django: Potential denial-of-service vulnerability in django.utils.html.urlize()", "id": "2314485", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2314485"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.", "A flaw was found in Python's Django urlize() and urlizetrunc() functions. Excessive input with a specific sequence of characters may lead to denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-45230", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Will not fix", "package_name": "ansible-tower", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/ee-dellemc-openmanage-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/platform-resource-runner-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-25/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:certifications:1::el7", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:discovery:1", "fix_state": "Affected", "package_name": "discovery-server-container", "product_name": "Red Hat Discovery 1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "python-django20", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "python-django", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:rhui:4::el8", "fix_state": "Not affected", "package_name": "python-django", "product_name": "Red Hat Update Infrastructure 4 for Cloud Providers"}], "public_date": "2024-09-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-45230\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-45230"], "statement": "CVE-2024-45230 is classified as a moderate severity vulnerability because, while it presents a potential denial-of-service (DoS) risk, it does not directly expose the application to data breaches or arbitrary code execution. The vulnerability arises from inefficient handling of very large inputs with specific character sequences in the `urlize()` and `urlizetrunc()` functions. However, the attack requires carefully crafted input and only leads to resource exhaustion (such as CPU or memory overload) under specific conditions, making it less likely to be exploited in typical production environments. This reduces its impact compared to vulnerabilities that allow unauthorized access or significant system compromise, hence the moderate severity rating.\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nRed Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.", "threat_severity": "Moderate"}