Path to dependency file: /wagtail/wagtail/project_template/requirements.txt
Path to vulnerable library: /teSource-ArchiveExtractor_6a8a4d3e-1a25-411e-895f-d18400c71569/20190823195740_81768/20190823195722_depth_0/1/Django-2.2.4.tar/Django-2.2.4
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.
CVE-2021-45115 - High Severity Vulnerability
Vulnerable Library - Django-2.2.4.tar.gz
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/19/11/3449a2071df9427e7a5c4dddee2462e88840dd968a9b0c161097154fcb0c/Django-2.2.4.tar.gz
Path to dependency file: /wagtail/wagtail/project_template/requirements.txt
Path to vulnerable library: /teSource-ArchiveExtractor_6a8a4d3e-1a25-411e-895f-d18400c71569/20190823195740_81768/20190823195722_depth_0/1/Django-2.2.4.tar/Django-2.2.4
Dependency Hierarchy: - :x: **Django-2.2.4.tar.gz** (Vulnerable Library)
Found in base branch: master
Vulnerability Details
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.
Publish Date: 2022-01-05
URL: CVE-2021-45115
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/
Release Date: 2022-01-05
Fix Resolution: 2.2.26
Step up your Open Source Security Game with Mend here