CVE-2020-15225: Incorrect Conversion between Numeric Types
(updated )
django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter, automatically generated NumberFilter
instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. + applies a MaxValueValidator
with a a default limit_value
of 1e50 to the form field used by NumberFilter
instances. In addition, NumberFilter
implements the new get_max_validator()
which should return a configured validator instance to customise the limit, or else None
to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade.
References
- github.com/advisories/GHSA-x7gm-rfgv-w973
- github.com/carltongibson/django-filter/commit/340cf7a23a2b3dcd7183f6a0d6c383e85b130d2b
- github.com/carltongibson/django-filter/releases/tag/2.4.0
- github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DPHENTRHRAYFXYPPBT7JRHZRWILRY44S/
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FAT2ZAEF6DM3VFSOHKB7X3ASSHGQHJAK/
- nvd.nist.gov/vuln/detail/CVE-2020-15225
- pypi.org/project/django-filter/
- security.netapp.com/advisory/ntap-20210604-0010/
Detect and mitigate CVE-2020-15225 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →