CVE-2020-15225: Potential DoS with NumberFilter conversion to integer values.
(updated )
Automatically generated NumberFilter instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents.
References
- github.com/advisories/GHSA-x7gm-rfgv-w973
- github.com/carltongibson/django-filter
- github.com/carltongibson/django-filter/commit/340cf7a23a2b3dcd7183f6a0d6c383e85b130d2b
- github.com/carltongibson/django-filter/releases/tag/2.4.0
- github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973
- github.com/pypa/advisory-database/tree/main/vulns/django-filter/PYSEC-2021-64.yaml
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DPHENTRHRAYFXYPPBT7JRHZRWILRY44S
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FAT2ZAEF6DM3VFSOHKB7X3ASSHGQHJAK
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVJ7AYU6FUSU3F653YCGW5LFD3IULRSX
- nvd.nist.gov/vuln/detail/CVE-2020-15225
- pypi.org/project/django-filter
- security.netapp.com/advisory/ntap-20210604-0010
Detect and mitigate CVE-2020-15225 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →