Miggo Logo

CVE-2014-0481: Django denial of service via file upload naming

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.80167%
Published
5/14/2022
Updated
9/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
djangopip< 1.4.141.4.14
djangopip>= 1.6, < 1.6.61.6.6
Djangopip>= 1.5, < 1.5.91.5.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the filename conflict resolution algorithm in get_available_name(). The commit diff shows replacement of itertools.count() with get_random_string(), explicitly addressing the O(n) algorithm. Documentation changes and CVE description confirm this was the attack vector. No other functions show direct involvement in the vulnerable pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** ****ult *on*i*ur*tion *or t** *il* uplo** **n*lin* syst*m in *j*n*o ***or* *.*.**, *.*.x ***or* *.*.*, *.*.x ***or* *.*.*, *n* *.* ***or* r*l**s* **n*i**t* * us*s * s*qu*nti*l *il* n*m* **n*r*tion pro**ss w**n * *il* wit* * *on*li*tin* n*m* is up

Reasoning

T** vuln*r**ility st*ms *rom t** *il*n*m* *on*li*t r*solution *l*orit*m in **t_*v*il**l*_n*m*(). T** *ommit *i** s*ows r*pl***m*nt o* it*rtools.*ount() wit* **t_r*n*om_strin*(), *xpli*itly ***r*ssin* t** O(n) *l*orit*m. *o*um*nt*tion ***n**s *n* *V*