CVE-2020-15225
Denial of Service vulnerability in django-filter
In short
django-filter's NumberFilter was vulnerable to denial of service attacks when users submitted numbers in exponential format (like 1e999999) with huge exponents, causing the server to hang or crash while processing. This was fixed by adding a limit validator in version 2.4.0.
Technical detail
Automatically generated NumberFilter instances in django-filter < 2.4.0 failed to validate exponential notation input before integer conversion, allowing attackers to submit extremely large exponents (e.g., 1e50+) that consumed excessive CPU during parsing, resulting in DoS. The fix introduces MaxValueValidator with a default limit_value of 1e50 and a new get_max_validator() method for customization.
Summary generated and translated by AI from the official description.
django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter before version 2.4.0, automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. In addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
carltongibson · django-filterWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/carltongibson/django-filter/commit/340cf7a23a2b3dcd7183f6a0d6c383e85b130d2bhttps://github.com/carltongibson/django-filter/releases/tag/2.4.0https://github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPHENTRHRAYFXYPPBT7JRHZRWILRY44S/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FAT2ZAEF6DM3VFSOHKB7X3ASSHGQHJAK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVJ7AYU6FUSU3F653YCGW5LFD3IULRSX/https://pypi.org/project/django-filter/https://security.netapp.com/advisory/ntap-20210604-0010/