An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched.

  - Django: denial-of-service in ``intcomma`` template filter (CVE-2024-24680)

Note that Nessus has not tested for this issue but has instead relied on the package manager's report that the package is installed.

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-5c7fb64c74 advisory.

  - An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The     intcomma template filter was subject to a potential denial-of-service attack when used with very long     strings. (CVE-2024-24680)

  - In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the     django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are     subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue     exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. (CVE-2024-27351)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-84fbbbb914 advisory.

  - In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are     subject to a potential ReDoS (regular expression denial of service) attack via a very large number of     domain name labels of emails and URLs. (CVE-2023-36053)

  - In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri()     is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of     Unicode characters. (CVE-2023-41164)

  - In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator     chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service)     attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods     are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also     vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. (CVE-2023-43665)

  - An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The     intcomma template filter was subject to a potential denial-of-service attack when used with very long     strings. (CVE-2024-24680)

  - In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the     django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are     subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue     exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. (CVE-2024-27351)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1878 advisory.

  - python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator     (CVE-2023-36053)

  - python-aiohttp: HTTP request smuggling via llhttp HTTP request parser (CVE-2023-37276)

  - python-django: Potential denial of service vulnerability in  ``django.utils.encoding.uri_to_iri()``     (CVE-2023-41164)

  - python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)

  - python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)

  - aiohttp: HTTP request modification (CVE-2023-49081)

  - aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)

  - python-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)

  - jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)

  - aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)

  - python-ecdsa: vulnerable to the Minerva attack (CVE-2024-23342)

  - python-aiohttp: http request smuggling (CVE-2024-23829)

  - Django: denial-of-service in ``intcomma`` template filter (CVE-2024-24680)

  - python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()     (CVE-2024-27351)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-2ec03ca8cb advisory.

  - An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The     intcomma template filter was subject to a potential denial-of-service attack when used with very long     strings. (CVE-2024-24680)

  - In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the     django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are     subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue     exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. (CVE-2024-27351)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1640 advisory.

  - golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests     (CVE-2023-39326)

  - GitPython: Blind local file inclusion (CVE-2023-41040)

  - axios: exposure of confidential data stored in cookies (CVE-2023-45857)

  - python-twisted: disordered HTTP pipeline response in twisted.web (CVE-2023-46137)

  - python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)

  - python-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)

  - golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)

  - jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)

  - aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)

  - python-aiohttp: http request smuggling (CVE-2024-23829)

  - Django: denial-of-service in ``intcomma`` template filter (CVE-2024-24680)

  - python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()     (CVE-2024-27351)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1057 advisory.

  - pygments: ReDoS in pygments (CVE-2022-40896)

  - python-pillow: uncontrolled resource consumption when textlength in an ImageDraw instance operates on a     long text argument (CVE-2023-44271)

  - python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)

  - aiohttp: HTTP request modification (CVE-2023-49081)

  - aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)

  - pycryptodome: side-channel leakage for OAEP decryption in PyCryptodome and pycryptodomex (CVE-2023-52323)

  - ansible automation platform: Insecure websocket used when interacting with EDA server (CVE-2024-1657)

  - jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)

  - Django: denial-of-service in ``intcomma`` template filter (CVE-2024-24680)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the e0f6215b-c59e-11ee-a6db-080027a5b8e9 advisory.

  - An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The     intcomma template filter was subject to a potential denial-of-service attack when used with very long     strings. (CVE-2024-24680)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 ESM / 20.04 LTS / 22.04 LTS / 23.10 host has packages installed that are affected by a vulnerability as referenced in the USN-6623-1 advisory.

  - An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The     intcomma template filter was subject to a potential denial-of-service attack when used with very long     strings. (CVE-2024-24680)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
195691	RHEL 7 : django (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
194649	Fedora 40 : python-django (2024-5c7fb64c74)	Nessus	Fedora Local Security Checks	high
193650	Fedora 38 : python-django3 (2024-84fbbbb914)	Nessus	Fedora Local Security Checks	high
193467	RHEL 8 : RHUI 4.8 Release - Security Updates, Bug Fixes, and Enhancements (Moderate) (RHSA-2024:1878)	Nessus	Red Hat Local Security Checks	high
193457	Fedora 39 : python-django (2024-2ec03ca8cb)	Nessus	Fedora Local Security Checks	high
193086	RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update (Moderate) (RHSA-2024:1640)	Nessus	Red Hat Local Security Checks	high
191748	RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update (Important) (RHSA-2024:1057)	Nessus	Red Hat Local Security Checks	high
190128	FreeBSD : Django -- multiple vulnerabilities (e0f6215b-c59e-11ee-a6db-080027a5b8e9)	Nessus	FreeBSD Local Security Checks	high
190066	Ubuntu 18.04 ESM / 20.04 LTS / 22.04 LTS / 23.10 : Django vulnerability (USN-6623-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2024-24680

high

Tenable Plugins

high

high

high

high

high

high

high

high

high