1-day

Your Django App Is Vulnerable to DoS Attacks: Update Your Python Version Now

Your Django App Is Vulnerable to DoS Attacks: Update Your Python Version Now

Hi, I'm Seokchan Yoon. Recently, a vulnerability I reported to the Python Project was made public. The vulnerability, known as CVE-2024-7592, has a severity score of 7.5 out of 10 according to CVSS 3.x, which is considered 'High'. If it's exploited, it

Django 사용자들이 무조건 Python 버전 업데이트를 해야하는 이유

Django 사용자들이 무조건 Python 버전 업데이트를 해야하는 이유

안녕하세요. 윤석찬입니다. 최근 제가 Python의 CPython 라이브러리에 제보한 취약점이 공개되었습니다. CVSS 3.x 기준 Serverity는 10점 만점 중 7.5점으로 심각도는 '높음'으로 평가되었고, 해당 취약점을 악용하면 인터넷에 노출된 모든 Django 서버에 DoS를 유발시킬 수 있었습니다. 본 글에서는 파이썬의 표준 라이브러리 중 하나인 http.cookies 모듈의 _unquote() 메소드에서

Review for Recent Django Security Issues － CVE-2024-24680, CVE-2024-27351

Review for Recent Django Security Issues － CVE-2024-24680, CVE-2024-27351

CVE-2024-24680: Potential denial-of-service in intcomma template filter TL;DR The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings. Your Django server can be under affected denial-of-service issue if you have the code like below, that intcomma template filter uses the value user

Do not use `maildev` anyway 💣

Do not use `maildev` anyway 💣

Introduce Do you guys know maildev application to run temporary mail server? maildev is open-sourced SMTP Server + Web Interface for viewing and testing emails during development. To say conclusionally, DO NOT USE THIS SOFTWARE. Hackers can force-write existing source codes and completely takeover the server. This program has not been

CVE-2023-36053: Potential ReDoS in EmailValidator/URLValidator

CVE-2023-36053: Potential ReDoS in EmailValidator/URLValidator

Hi! This is Seokchan Yoon studying Offensive Security in Korea. 🇰🇷 __ 1. Introduction On July 3rd, 2023, my first CVE was published! * https://www.djangoproject.com/weblog/2023/jul/03/security-releases/ * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36053 You can briefly check the details of the vulnerability that I

CVE-2023-23969: Potential denial-of-service via Accept-Language headers

CVE-2023-23969: Potential denial-of-service via Accept-Language headers

Overview Hi guys, this is Seokchan Yoon. The Django security vulnerability has released on February 1, 2023. Because I have big interest in Django, so I analyze this issue just in time. To see the detail for this issue, click the link below. Django security releases issued: 4.1.6,

CVE-2022-28347: Potential SQLi via QuerySet.explain() on PostgreSQL

CVE-2022-28347: Potential SQLi via QuerySet.explain() on PostgreSQL

CVE-2022-28347, Potential SQL injection in Django QuerySet explain() Analysis > https://github.com/advisories/GHSA-w24h-v9qh-8gxj 이 취약점은 PostgreSQL 환경에서 Django QuerySet의 explain 기능을 수행할 때 발생 가능한 SQL Injection 취약점이다. QuerySet 오브젝트의 explain() 메소드를 수행하면 EXPLAIN 명령어를 사용할 수 있다. 이 명령어를 사용할 때 MySQL과 PostgreSQL에서는 특별히 EXPLAIN 명령어에 옵션을