Cybersecurity specialists reported the finding of three vulnerabilities in Django, a free and open source content management system (CMS) platform for publishing content on the Internet. According to the report, successful exploitation of these flaws would allow the deployment of severe denial of service (DoS) attacks.
Below are brief descriptions of the reported flaws, in addition to their tracking keys and scores according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-45115: The improper management of internal resources in UserAttributeSimilarityValidator when evaluating submitted passwords would allow remote threat actors to pass specially crafted passwords to the application and perform a DoS attack.
The vulnerability received a CVSS score of 6.5/10.
CVE-2021-45116: The excessive data output by the application while handling error conditions in the dictsort template filter would allow remote users to extract sensitive information stored on the affected system.
The vulnerability received a CVSS score of 3.8/10.
CVE-2021-45452: An input validation error when processing directory traversal sequences in the Storage.save() method would allow remote threat actors to easily pass a specially crafted HTTP filename to the application and write the file outside of the intended directory.
This is a low-severity vulnerability and received a CVSS score of 2.7/10.
According to the report, these flaws reside in the following Django CMS versions: 2.0, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.2, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.2.17, 2.2.18, 2.2.19, 2.2.20, 2.2.21, 2.2.22, 2.2.23, 2.2.24, 2.2.25, 3.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.2, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10 & 4.0.
The vulnerabilities can be exploited by remote malicious hackers; nonetheless, cybersecurity experts are not aware of any active exploitation campaigns. Still, developers recommend updating to secure Django versions.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.