SB2022011843 - SUSE update for python-Django 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022011843

SB2022011843 - SUSE update for python-Django

Published: January 18, 2022

Security Bulletin ID SB2022011843
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Resource management error (CVE-ID: CVE-2021-45115)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources in UserAttributeSimilarityValidator when evaluating submitted password that were artificially large in relative to the comparison values. A remote attacker can pass specially crafted password to the application and perform a denial of service (DoS) attack.


2) Information exposure through externally-generated error message (CVE-ID: CVE-2021-45116)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application while handling error conditions in the dictsort template filter. A remote user can obtain sensitive information on the system.


3) Path traversal (CVE-ID: CVE-2021-45452)

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the Storage.save() method. A remote user can pass a specially crafted HTTP filename to the application and write the file outside of the intended directory.


Remediation

Install update from vendor's website.

References