7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2011-4137

GHSA ID

GHSA-3jqw-crqj-w8qw

EPSS Score

0.81652%

CWE

CWE-1088

Published

7/23/2018

Updated

9/16/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2011-4137

CVE-2011-4137: Denial of service in django

The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2011-4137

GHSA ID

GHSA-3jqw-crqj-w8qw

EPSS Score

0.81652%

CWE

CWE-1088

Published

7/23/2018

Updated

9/16/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Django	pip	>= 0, < 1.2.7	1.2.7
Django	pip	>= 1.3, < 1.3.1	1.3.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key components:

URLValidator's call method implemented the verify_exists check using Python's urllib2 without timeouts or proper connection management. The commit diff shows this method originally used urllib2.urlopen directly and handled redirects unsafely.
URLField's init method enabled verify_exists by default, making applications vulnerable unless explicitly disabled. The patch changed this default to False. The combination of these two functions created the vulnerable path where user-controlled URLs could trigger unconstrained network requests, matching the CWE-1088 description of synchronous remote resource access without timeout.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** v*ri*y_*xists *un*tion*lity in t** URL*i*l* impl*m*nt*tion in *j*n*o ***or* *.*.* *n* *.*.x ***or* *.*.* r*li*s on Pyt*on li*r*ri*s t**t *tt*mpt ****ss to *n *r*itr*ry URL wit* no tim*out, w*i** *llows r*mot* *tt**k*rs to **us* * **ni*l o* s*rvi*

Reasoning

T** vuln*r**ility st*mm** *rom two k*y *ompon*nts: *. URLV*li**tor's __**ll__ m*t*o* impl*m*nt** t** v*ri*y_*xists ****k usin* Pyt*on's urlli** wit*out tim*outs or prop*r *onn**tion m*n***m*nt. T** *ommit *i** s*ows t*is m*t*o* ori*in*lly us** urlli*

7.5

Basic Information

Concerned about an active attack path?

CVE-2011-4137: Denial of service in django

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI