CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-38875

Medium Severity
SVRS
36/100
CVSSv3
NA/10
EPSS
0.00199/1

CVE-2024-38875 is a potential denial of service vulnerability affecting Django versions 4.2 before 4.2.14 and 5.0 before 5.0.7. The urlize and urlizetrunc functions are susceptible to attack via carefully crafted inputs containing a large number of brackets. While the CVSS score is 0, indicating a base severity of none, SOCRadar's Vulnerability Risk Score (SVRS) is 36, suggesting a moderate level of risk. This vulnerability can be exploited to exhaust server resources, making the application unavailable to legitimate users. Although the SVRS is not critical (above 80), immediate patching is advisable to prevent potential exploitation. This issue highlights the importance of input validation and proper resource management in web applications. Failure to address CVE-2024-38875 could lead to service disruptions and impact user experience.

TAGS
No tags available
VECTOR STRING
PUBLICATION DATE2024-07-10
LAST MODIFIED2024-07-12

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

USN-6888-2: Django vulnerabilities
2024-07-11
USN-6888-2: Django vulnerabilities | USN-6888-1 fixed several vulnerabilities in Django. This update provides the corresponding update for Ubuntu 18.04 LTS. Original advisory details: Elias Myllymäki discovered that Django incorrectly handled certain inputs with a large number of brackets. A remote attacker could possibly use this issue to cause Django to consume resources or stop responding, resulting in a denial of service. (CVE-2024-38875) It was discovered that Django incorrectly handled authenticating users with unusable passwords. A remote attacker could possibly use this issue to perform a timing attack and enumerate users. (CVE-2024-39329) Josh Schneier
ubuntu.com
rss
forum
news
CVE-2024-38875 | Django up to 4.2.13/5.0.6 urlize/urlizetrunc denial of service
vuldb.com2024-07-10
CVE-2024-38875 | Django up to 4.2.13/5.0.6 urlize/urlizetrunc denial of service | A vulnerability, which was classified as problematic, was found in Django up to 4.2.13/5.0.6. This affects the function urlize/urlizetrunc. The manipulation leads to denial of service. This vulnerability is uniquely identified as CVE-2024-38875. Access to the local network is required for this attack to succeed. There is no exploit
cve-2024-38875
domains
urls
cves
USN-6888-1: Django vulnerabilities
2024-07-09
USN-6888-1: Django vulnerabilities | Elias Myllymäki discovered that Django incorrectly handled certain inputs with a large number of brackets. A remote attacker could possibly use this issue to cause Django to consume resources or stop responding, resulting in a denial of service. (CVE-2024-38875) It was discovered that Django incorrectly handled authenticating users with unusable passwords. A remote attacker could possibly use this issue to perform a timing attack and enumerate users. (CVE-2024-39329) Josh Schneier discovered that Django incorrectly handled file path validation when the storage class is being derived. A remote attacker could possibly use
cve-2024-39330
cve-2024-39614
cve-2024-39329
cve-2024-38875

Social Media

⚡ CVE-2024-38875: Denial-Of-Service through uncontrolled resource consumption caused by poor time c... 👨🏻‍💻 l33thaxor ➟ Internet Bug Bounty 🟧 Medium 💰 $2,142 🔗 https://t.co/FPUM2JqQgc #bugbounty #bugbountytips #cybersecurity #infosec https://t.co/sZTacJfjKX
0
0
1

Affected Software

No affected software found for this CVE

References

ReferenceLink
[email protected]https://docs.djangoproject.com/en/dev/releases/security/
[email protected]https://groups.google.com/forum/#%21forum/django-announce
[email protected]https://www.djangoproject.com/weblog/2024/jul/09/security-releases/

CWE Details

CWE IDCWE NameDescription
CWE-130Improper Handling of Length Parameter InconsistencyThe software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence