Allele Security Alert
ASA-2019-00074
Identifier(s)
ASA-2019-00074, CVE-2019-6975
Title
Memory exhaustion in utils.numberformat.format()
Vendor(s)
Django Software Foundation
Product(s)
Django
Affected version(s)
Django 2.2 before commit 83ab3e26647f6a50cdfac01ecf735cad540b2f35
Django 2.1 before version 2.1.6
Django 2.0 before version 2.0.11
Django 1.11 before version 1.11.19
Fixed version(s)
Django 2.2 after commit 83ab3e26647f6a50cdfac01ecf735cad540b2f35
Django 2.1.6
Django 2.0.11
Django 1.11.19
Proof of concept
Unknown
Description
If django.utils.numberformat.format() — used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters — received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to ‘{:f}’.format().
Technical details
Unknown
Credits
Sjoerd Job Postmus
Reference(s)
CVE-2019-6975 — Django fixed memory exhaustion in utils.numberformat.format().
https://seclists.org/oss-sec/2019/q1/118
Django security releases issued: 2.1.6, 2.0.11 and 1.11.19
https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
[2.2.x] Fixed CVE-2019-6975 — Fixed memory exhaustion in utils.numberformat.format().
https://github.com/django/django/commit/83ab3e26647f6a50cdfac01ecf735cad540b2f35
CVE-2019-6975
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6975
CVE-2019-6975
https://nvd.nist.gov/vuln/detail/CVE-2019-6975
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 3, 2019