Vulnerability Details : CVE-2009-3695
Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.
Vulnerability category: Denial of service
Products affected by CVE-2009-3695
- cpe:2.3:a:djangoproject:django:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-3695
6.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 93 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-3695
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
References for CVE-2009-3695
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/53727
Django EmailField or URLField denial of service CVE-2009-3695 Vulnerability Report
-
http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/
regex infinite loop with 100% cpu use in django.forms.fields.email_re - DOS hole?
-
http://www.openwall.com/lists/oss-security/2009/10/13/6
oss-security - Re: Duplicate CVE assignment notification [was: CVE id request: django]
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457
#550457 - Remote denial of service via pathological performance of regular expressions - Debian Bug report logs
-
http://www.debian.org/security/2009/dsa-1905
Debian -- Security Information -- DSA-1905-1 python-django
-
http://www.djangoproject.com/weblog/2009/oct/09/security/
Security updates released | Weblog | DjangoPatch;Vendor Advisory
-
http://www.securityfocus.com/bid/36655
Patch
-
http://www.vupen.com/english/advisories/2009/2871
Webmail: access your OVH emails on ovhcloud.com | OVHcloudPatch;Vendor Advisory
Jump to