CVE-2021-45115

Description

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.

How to fix CVE-2021-45115

To remediate CVE-2021-45115, upgrade the affected package to a fixed version below.

• —upgrade to 2.2.26 or later
• —upgrade to 2:2.2.26-1~deb11u1 or later
• —upgrade to 1:1.11.29-1+deb10u3 or later
• —upgrade to 2.2.26 or later
• —upgrade to 2.2.26 or later

Is CVE-2021-45115 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• >= 2.2.0, < 2.2.26, >= 3.2.0, < 3.2.11, >= 4.0.0, < 4.0.1
• from 0, < 2:2.2.26-1~deb11u1
• from 0, < 1:1.11.29-1+deb10u3
• >= 2.2a1, < 2.2.26
• >= 2.2, < 2.2.26, >= 3.2, < 3.2.11, >= 4.0, < 4.0.1

CVSS scores

References (18)

• ADVISORYgithub.com/advisories/GHSA-53qw-q765-4fww
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-45115
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-45115
• ADVISORYwww.djangoproject.com/weblog/2022/jan/04/security-releases/
• PATCH