CVE-2011-4137: Denial of service in django
(updated )
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
References
- bugzilla.redhat.com/show_bug.cgi?id=737366
- github.com/advisories/GHSA-3jqw-crqj-w8qw
- github.com/django/django
- github.com/django/django/commit/1a76dbefdfc60e2d5954c0ba614c3d054ba9c3f0
- github.com/django/django/commit/7268f8af86186518821d775c530d5558fd726930
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-2.yaml
- hermes.opensuse.org/messages/14700881
- nvd.nist.gov/vuln/detail/CVE-2011-4137
- www.djangoproject.com/weblog/2011/sep/09
- www.djangoproject.com/weblog/2011/sep/10/127
Code Behaviors & Features
Detect and mitigate CVE-2011-4137 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →