Miggo Logo

CVE-2010-4535:
Improper date handling in Django

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.88931%
Published
7/23/2018
Updated
9/17/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
djangopip< 1.1.31.1.3
Djangopip>= 1.2, < 1.2.41.2.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points: (1) the base36_to_int function lacked input validation, allowing resource-heavy conversions of large inputs, and (2) the URL route pattern permitted excessively long uidb36 parameters. The commit diff shows both the regex tightening in urls.py and the length check added to base36_to_int in http.py, directly addressing the root causes. The CVE description explicitly ties the DoS vector to unvalidated base36 timestamp handling, confirming these functions' roles.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p*sswor* r*s*t *un*tion*lity in *j*n*o.*ontri*.*ut* in *j*n*o ***or* *.*.*, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.* **t* * *o*s not v*li**t* t** l*n*t* o* * strin* r*pr*s*ntin* * **s*** tim*st*mp, w*i** *llows r*mot* *tt**k*rs to **us* * **ni*l

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: (*) t** **s***_to_int *un*tion l**k** input v*li**tion, *llowin* r*sour**-***vy *onv*rsions o* l*r** inputs, *n* (*) t** URL rout* p*tt*rn p*rmitt** *x**ssiv*ly lon* ui**** p*r*m*t*rs. T** *ommit *i** s*ow