CyberSec.Space Logo
Back to CVE Browser

CVE-2021-45115

HIGH
7.5
CVSS Severity Score
EPSS Score0.0720%
EPSS Percentile9.63th
PublishedJan 5, 2022
Last ModifiedNov 21, 2024

Vulnerability Description

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.

Affected Platforms (CPE)

πŸ“¦
Djangoproject

Django

>= 2.2 and < 2.2.26
πŸ“¦
Djangoproject

Django

>= 3.2 and < 3.2.11
πŸ“¦
Djangoproject

Django

>= 4.0 and < 4.0.1
πŸ’»
Fedoraproject

Fedora

= 35

References & Advisories

πŸ”— https://docs.djangoproject.com/en/4.0/releases/security/
πŸ”— https://groups.google.com/forum/#%21forum/django-announce
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
πŸ”— https://security.netapp.com/advisory/ntap-20220121-0005/
πŸ”— https://www.djangoproject.com/weblog/2022/jan/04/security-releases/
πŸ”— https://docs.djangoproject.com/en/4.0/releases/security/
πŸ”— https://groups.google.com/forum/#%21forum/django-announce
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/

Related Vulnerabilities

CVE-2014-047410.0

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before...

CVE-2019-131779.8

verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for sign...

CVE-2017-167649.8

An exploitable vulnerability exists in the YAML parsing functionality in the read_yaml_file method in io_utils.py in django_make_a...

CVE-2019-142349.8

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow k...