An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-b08735561c advisory.

    `urlize` and `urlizetrunc` were subject to a potential denial-of-service attack via very large inputs with     a specific sequence of characters.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-396c94f0a3 advisory.

    `urlize` and `urlizetrunc` were subject to a potential denial-of-service attack via very large inputs with     a specific sequence of characters.


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:8534 advisory.

    Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing     IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to     individual teams, while automation developers retain the freedom to write tasks that leverage existing     knowledge without the overhead. Ansible Automation Platform makes it possible for users across an     organization to share, vet, and manage automation content by means of a simple, powerful, and agentless     language.

    Security Fix(es):

    * automation-controller: Django: Memory exhaustion in django.utils.numberformat.floatformat()     (CVE-2024-41989)
    * automation-controller: Django: Potential denial-of-service vulnerability in django.utils.html.urlize()     (CVE-2024-45230)
    * automation-gateway: XSS on automation-gateway (CVE-2024-10033)
    * receptor: quic-go: memory exhaustion attack against QUIC's connection ID mechanism (CVE-2024-22189)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Updates and fixes included:

    * With this update, upgrades from Ansible Automation Platform 2.4 to 2.5 are supported for RPM and     Operator-based deployments for Automation controller and Automation hub. For more information on how to     upgrade, refer to the Upgrading section of the AAP landing page. (ANSTRAT-809)

    Container-based Ansible Automation Platform
    * The TLS Certificate Authority private key can now use a passphrase. (AAP-33594)
    * Automation hub is populated with container images (decision and execution environments) and Ansible     collections. (AAP-33759)
    * The Automation controller, Event-Driven Ansible, and automation hub legacy UIs now display a redirect     page to the Platform UI rather than a blank page. (AAP-33794)
    * Fixed the uninstall playbook execution when the environment was already uninstalled. (AAP-32981)
    * containerized installer setup has been updated to 2.5-3

    RPM-based Ansible Automation Platform
    * Added platform Redis to RPM-based Ansible Automation Platform. This allows a 6 node cluster for a Redis     high availability (HA) deployment. (AAP-33773)
    * Removed the variable aap_caching_mtls and replaced it with redis_disable_tls and redis_disable_mtls     which are boolean flags that disable Redis server TLS and Redis client certificate authentication.
    (AAP-33773)
    * An informative redirect page is now shown when going to automation controller, Event-Driven Ansible, or     automation hub URL. (AAP-33827)
    * ansible-automation-platform-installer and installer setup have been updated to 2.5-4

    Additional changes:
    * automation-controller has been updated to 4.6.2
    * automation-eda-controller has been updated to 1.1.2
    * automation-gateway has been updated to 2.5.3
    * automation-hub/python3.11-galaxy-ng has been updated to 4.10.1
    * python3.11-django-ansible-base has been updated to 2.5.3
    * receptor has been updated to 1.4.9

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE- SU-2024:3187-1 advisory.

    There is an issue with the previous fix for CVE-2024-45230. Please consider the following vulnerability     fixed only after the installation of this update.
      - CVE-2024-45230: Fixed potential denial-of-service vulnerability in django.utils.html.urlize().
    (bsc#1229823)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3161-1 advisory.

    - CVE-2024-45230: Fixed potential denial-of-service vulnerability in django.utils.html.urlize().
    (bsc#1229823)
    - CVE-2024-45231: Fixed potential user email enumeration via response status on password reset.
    (bsc#1229824)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-e2bde0853b advisory.

    `urlize` and `urlizetrunc` were subject to a potential denial-of-service attack via very large inputs with     a specific sequence of characters.


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-28892f7c8f advisory.

    `urlize` and `urlizetrunc` were subject to a potential denial-of-service attack via very large inputs with     a specific sequence of characters.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-4a08381122 advisory.

    `urlize` and `urlizetrunc` were subject to a potential denial-of-service attack via very large inputs with     a specific sequence of characters.


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-865828665c advisory.

    `urlize` and `urlizetrunc` were subject to a potential denial-of-service attack via very large inputs with     a specific sequence of characters.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The detected version of the Django Python package, Django, is 4.2.x prior to 4.2.16, 5.0.x prior to 5.0.9 or 5.1.x prior to 5.1.1. It is, therefore, affected by multiple vulnerabilities as disclosed in Django's September 3rd 2024 security advisory:

  - urlize and urlizetrunc were subject to a potential denial-of-service attack via very large inputs with a   specific sequence of characters. (CVE-2024-45230)  
  - Due to unhandled email sending failures, the django.contrib.auth.forms.PasswordResetForm class allowed   remote attackers to enumerate user emails by issuing password reset requests and observing the outcomes.
  (CVE-2024-45231)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3139-1 advisory.

    - CVE-2024-45230: Fixed potential denial-of-service vulnerability in django.utils.html.urlize().
    (bsc#1229823)
    - CVE-2024-45231: Fixed potential user email enumeration via response status on password reset.
    (bsc#1229824)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6987-1 advisory.

    It was discovered that Django incorrectly handled certain inputs. An attacker could possibly use this     issue to cause a denial of service. (CVE-2024-45230)

    It was discovered that Django incorrectly handled certain email sending failures. A remote attacker could     possibly use this issue to enumerate user emails by issuing password reset requests and observing the     outcomes. (CVE-2024-45231)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
211169	Fedora 41 : python-django4.2 (2024-b08735561c)	Nessus	Fedora Local Security Checks	high
211131	Fedora 41 : python-django (2024-396c94f0a3)	Nessus	Fedora Local Security Checks	high
209894	RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.5 Product Release Update (Moderate) (RHSA-2024:8534)	Nessus	Red Hat Local Security Checks	medium
206952	openSUSE 15 Security Update : python-Django (SUSE-SU-2024:3187-1)	Nessus	SuSE Local Security Checks	high
206749	SUSE SLES15 / openSUSE 15 Security Update : python-Django (SUSE-SU-2024:3161-1)	Nessus	SuSE Local Security Checks	medium
206713	Fedora 39 : python-django (2024-e2bde0853b)	Nessus	Fedora Local Security Checks	high
206710	Fedora 39 : python-django4.2 (2024-28892f7c8f)	Nessus	Fedora Local Security Checks	high
206708	Fedora 40 : python-django (2024-4a08381122)	Nessus	Fedora Local Security Checks	high
206703	Fedora 40 : python-django4.2 (2024-865828665c)	Nessus	Fedora Local Security Checks	high
206676	Python Library Django 4.2.x < 4.2.16 / 5.0.x < 5.0.9 / 5.1.x < 5.1.1 Multiple Vulnerabilities	Nessus	Misc.	medium
206633	openSUSE 15 Security Update : python-Django (SUSE-SU-2024:3139-1)	Nessus	SuSE Local Security Checks	medium
206498	Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS : Django vulnerabilities (USN-6987-1)	Nessus	Ubuntu Local Security Checks	medium

Detections

Analytics

CVE-2024-45230

high

Tenable Plugins

high

high

medium

high

medium

high

high

high

high

medium

medium

medium