CVE-2015-0222

MEDIUM severity · CVSS 5 · CWE-17

5CVSS MEDIUM

Summary

ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges required—

User interaction—

Confidentiality impactNone

Integrity impactNone

Availability impact—

Exploit probability (EPSS)4%

AV:N/AC:L/Au:N/C:N/I:N/A:P

Affected products we track (2)

Django Ubuntu

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
http://advisories.mageia.org/MGASA-2015-0026.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148696.html
http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html
http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html
http://secunia.com/advisories/62285
http://secunia.com/advisories/62309