CVE-2021-45115

Aliases:GHSA-53qw-q765-4fwwBIT-django-2021-45115PYSEC-2022-1

Advisory lineage Upstream: 0 Downstream: 13

Downstream

DEBIAN-CVE-2021-45115 DLA-3177-1 MGASA-2022-0011 OPENSUSE-SU-2023:0005-1 OPENSUSE-SU-2024:11725-1 OPENSUSE-SU-2024:14208-1

Modified

Published: 04 Jan 2022, 23:16

Last modified:04 Aug 2024, 04:39

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

0.41% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

04 Jan 2022, 23:16

Published

Vulnerability first disclosed

04 Aug 2024, 04:39

Last Modified

Vulnerability information updated

Description

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.

CVSS Metrics

v4.0•HIGH•Score: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 0.41%• Percentile: 62%

Affected Systems

djangoproject•django
≥ 2.2, < 2.2.26 | ≥ 3.2, < 3.2.11 | ≥ 4.0, < 4.0.1
fedoraproject•fedora
35
PyPI•django
≥ 2.2a1, < 2.2.26 | ≥ 3.2a1, < 3.2.11 | ≥ 4.0a1, < 4.0.1 | ≥ 4.0, < 4.0.1