Miggo Logo

CVE-2011-4137: Denial of service in django

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.81652%
Published
7/23/2018
Updated
9/16/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Djangopip>= 0, < 1.2.71.2.7
Djangopip>= 1.3, < 1.3.11.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key components:

  1. URLValidator's call method implemented the verify_exists check using Python's urllib2 without timeouts or proper connection management. The commit diff shows this method originally used urllib2.urlopen directly and handled redirects unsafely.
  2. URLField's init method enabled verify_exists by default, making applications vulnerable unless explicitly disabled. The patch changed this default to False. The combination of these two functions created the vulnerable path where user-controlled URLs could trigger unconstrained network requests, matching the CWE-1088 description of synchronous remote resource access without timeout.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** v*ri*y_*xists *un*tion*lity in t** URL*i*l* impl*m*nt*tion in *j*n*o ***or* *.*.* *n* *.*.x ***or* *.*.* r*li*s on Pyt*on li*r*ri*s t**t *tt*mpt ****ss to *n *r*itr*ry URL wit* no tim*out, w*i** *llows r*mot* *tt**k*rs to **us* * **ni*l o* s*rvi*

Reasoning

T** vuln*r**ility st*mm** *rom two k*y *ompon*nts: *. URLV*li**tor's __**ll__ m*t*o* impl*m*nt** t** v*ri*y_*xists ****k usin* Pyt*on's urlli** wit*out tim*outs or prop*r *onn**tion m*n***m*nt. T** *ommit *i** s*ows t*is m*t*o* ori*in*lly us** urlli*