The open-source Python-based web framework provider, Django, reported a new denial-of-service vulnerability that could affect parties using the platform to build websites and applications. According to sources, Internationalized URLs were vulnerable to a potential denial of service attack in Django 3.2, 4.0 and 4.1 due to the locale parameter’s treatment as a regular expression.
Upon finding the vulnerability, the company released new security updates to address them and added security patches to the impacted versions. Since there are many versions of Django, the company is currently updating the previous versions and releasing security updates for all of them.
Django DoS vulnerability explained
Django offers website development tools and is a common platform used by web developers. The vulnerability report was posted on GitHub Advisory Database under GitHub Reviewed, where it was assigned a ‘Common Vulnerabilities‘ and Exposures ID of CVE-2022-41323.
According to the post, the URL provided in some versions of Django was prone to DoS attacks, which were international URLs intends to scale applications beyond the immediate environment, and languages. The vulnerable URLs were part of versions before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2. Django security policy claims that the issue had medium severity. Yet, it will work around the clock to fix all the versions that were facing the vulnerability.
Django release updates for supported versions
The 4.1, 4.0, and 3.2 release branches of Django as well as the main branch have all received patches to fix the problem. The following changesets contain the necessary patches:
- Main branch
- 1 release branch
- 0 release branch
- 2 release branch
- Django 4.1.2
- Django 4.0.8
- Django 3.2.16
The development team is releasing Django 4.1.2, Django 4.0.8, and Django 3.2.16 in compliance with its security release policy and all users have been urged by the organization to update as soon as possible.