Vulnerability Details : CVE-2011-4137
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
Vulnerability category: Denial of service
Products affected by CVE-2011-4137
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2.1:2:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:0.95.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:0.96:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:0.91:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:0.95:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.3:alpha2:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.3:alpha1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-4137
4.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-4137
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2011-4137
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-4137
-
https://hermes.opensuse.org/messages/14700881
openSUSE.org - 503
-
http://openwall.com/lists/oss-security/2011/09/13/2
oss-security - Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flawsPatch
-
http://openwall.com/lists/oss-security/2011/09/15/5
oss-security - Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws
-
http://openwall.com/lists/oss-security/2011/09/11/1
oss-security - CVE Request -- Django: v1.3.1, v1.2.7 multiple security flawsPatch
-
https://www.djangoproject.com/weblog/2011/sep/09/
September 9 | Weblog | DjangoPatch;Vendor Advisory
-
http://www.debian.org/security/2011/dsa-2332
Debian -- Security Information -- DSA-2332-1 python-django
-
https://bugzilla.redhat.com/show_bug.cgi?id=737366
737366 – (CVE-2011-4136, CVE-2011-4137, CVE-2011-4138, CVE-2011-4139, CVE-2011-4140) CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flawPatch
-
https://www.djangoproject.com/weblog/2011/sep/10/127/
Django 1.2.7 released | Weblog | DjangoPatch
Jump to