search

fecgov / fec-eregs

The Federal Election Commission's web-based application that makes regulations easier to find, read and understand.
https://www.fec.gov/regulations/
Other
33 stars 13 forks source link

[Snyk: High] django Denial of Service (DoS)(due by 03/15/2023) #747

Closed fec-jli closed 1 year ago

fec-jli commented 1 year ago

The security alert has been escalated to high since last week. A newer version of django@3.2.18, @4.0.10, @4.1.7 is available now. https://app.snyk.io/org/fecgov/project/5e01de94-91bc-43d8-90b1-8843384b4b26

Introduced through django@3.2.16, django-haystack@3.1.1 and others Fixed in django@3.2.18, @4.0.10, @4.1.7

Detailed paths and remediation Introduced through: project@0.0.0 › django@3.2.16 Fix: Upgrade django to version 3.2.18 or 4.0.10 or 4.1.7 Introduced through: project@0.0.0 › django-haystack@3.1.1 › django@3.2.16 Fix: Pin django to version 3.2.18 or 4.0.10 or 4.1.7 Introduced through: project@0.0.0 › django-mptt@0.13.4 › django-js-asset@2.0.0 › django@3.2.16 Fix: Pin django to version 3.2.18 or 4.0.10 or 4.1.7

Security information Factors contributing to the scoring:

Overview Affected versions of this package are vulnerable to Denial of Service (DoS) when parsing multipart form data in http/multipartparser.py. An attacker can trigger the opening of a large number of uploaded files which are not subsequently closed, consuming memory or filehandling resources.

========================== Original Medium alert Introduced through django@3.2.16, django-haystack@3.1.1 and others Fixed in django@3.2.17, @4.0.9, @4.1.6 Exploit maturity NO KNOWN EXPLOIT Show less detail Detailed paths and remediation Introduced through: project@0.0.0 › django@3.2.16 Fix: Upgrade django to version 3.2.17 or 4.0.9 or 4.1.6 Introduced through: project@0.0.0 › django-haystack@3.1.1 › django@3.2.16 Fix: Pin django to version 3.2.17 or 4.0.9 or 4.1.6 Introduced through: project@0.0.0 › django-mptt@0.13.4 › django-js-asset@2.0.0 › django@3.2.16 Fix: Pin django to version 3.2.17 or 4.0.9 or 4.1.6 Security information Factors contributing to the scoring: Snyk: CVSS 5.3 - Medium Severity

NVD: Not available. NVD has not yet published its analysis. Why are the scores different? Learn how Snyk evaluates vulnerability scores Overview Affected versions of this package are vulnerable to Denial of Service (DoS) due to the parsed values of Accept-Language headers which are cached, in order to avoid repetitive parsing. If the raw value of Accept-Language headers is very large, this will cause excessive memory usage.

tmpayton commented 1 year ago

Implemented under pull request #752