Bug 1194115 (CVE-2021-45115) - VUL-0: CVE-2021-45115: python-Django,python-Django1: Denial-of-service possibility in UserAttributeSimilarityValidator
Summary: VUL-0: CVE-2021-45115: python-Django,python-Django1: Denial-of-service possib...
Status: RESOLVED FIXED
Alias: CVE-2021-45115
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/319231/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-45115:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-28 14:09 UTC by Gianluca Gabrielli
Modified: 2024-04-26 13:46 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Upstream patch 2.2 (6.85 KB, patch)
2021-12-28 14:14 UTC, Gianluca Gabrielli 		Details | Diff
Upstream patch 3.2 (7.92 KB, patch)
2021-12-28 14:14 UTC, Gianluca Gabrielli 		Details | Diff
Upstream patch 4.0 (9.02 KB, patch)
2021-12-28 14:14 UTC, Gianluca Gabrielli 		Details | Diff
Upstream patch (9.01 KB, patch)
2021-12-28 14:15 UTC, Gianluca Gabrielli 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-12-28 14:09:12 UTC 
CVE-2021-45115: Denial-of-service possibility in ``UserAttributeSimilarityValidator``
=====================================================================================

:class:`.UserAttributeSimilarityValidator` incurred significant overhead
evaluating submitted password that were artificially large in relative to the
comparison values. On the assumption that access to user registration was
unrestricted this provided a potential vector for a denial-of-service attack.

In order to mitigate this issue, relatively long values are now ignored by
``UserAttributeSimilarityValidator``.

Affected versions
=================

* Django main development branch
* Django 4.0
* Django 3.2
* Django 2.2

Resolution
==========

Included with this email are patches implementing the changes described above
for each affected version of Django. On the release date, these patches will be
applied to the Django development repository and the following releases will be
issued along with disclosure of the issues:

* Django 4.0.1
* Django 3.2.11
* Django 2.2.26
Comment 3 Gianluca Gabrielli 2021-12-28 14:14:13 UTC 
Created attachment 854842 [details]
Upstream patch 2.2
Comment 4 Gianluca Gabrielli 2021-12-28 14:14:41 UTC 
Created attachment 854843 [details]
Upstream patch 3.2
Comment 5 Gianluca Gabrielli 2021-12-28 14:14:57 UTC 
Created attachment 854844 [details]
Upstream patch 4.0
Comment 6 Gianluca Gabrielli 2021-12-28 14:15:18 UTC 
Created attachment 854845 [details]
Upstream patch
Comment 7 Carlos López 2021-12-28 17:11:19 UTC 
Affected codestreams:
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update / python-Django
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update / python-Django1

Also affected on openSUSE:
 - openSUSE:Leap:15.2 / python-Django (EOL by the time of the CRD)
 - openSUSE:Backports:SLE-15-SP2 / python-Django (EOL by the time of the CRD)
 - openSUSE:Backports:SLE-15-SP3 / python-Django
 - openSUSE:Backports:SLE-15-SP4 / python-Django
 - openSUSE:Factory / python-Django
 - openSUSE:Leap:15.2 / python-Django1 (EOL by the time of the CRD)
 - openSUSE:Backports:SLE-15-SP2 / python-Django1 (EOL by the time of the CRD)
 - openSUSE:Backports:SLE-15-SP3 / python-Django1
 - openSUSE:Backports:SLE-15-SP4 / python-Django1
Comment 9 Fergal Mc Carthy 2022-01-13 17:49:34 UTC 
SUSE:SLE-12-SP3:Update:Products:Cloud8:Update / python-Django:
  * https://build.suse.de/request/show/262170

SUSE:SLE-12-SP4:Update:Products:Cloud9:Update / python-Django1:
  * https://build.suse.de/request/show/262169
Comment 10 Swamp Workflow Management 2022-01-18 14:18:57 UTC 
SUSE-SU-2022:0102-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194115,1194116,1194117
CVE References: CVE-2021-45115,CVE-2021-45116,CVE-2021-45452
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python-Django-1.11.29-3.33.1
SUSE OpenStack Cloud 8 (src):    python-Django-1.11.29-3.33.1
HPE Helion Openstack 8 (src):    python-Django-1.11.29-3.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-01-18 14:37:03 UTC 
SUSE-SU-2022:0103-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194115,1194116,1194117
CVE References: CVE-2021-45115,CVE-2021-45116,CVE-2021-45452
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python-Django1-1.11.29-3.30.1
SUSE OpenStack Cloud 9 (src):    python-Django1-1.11.29-3.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Christian Almeida de Oliveira 2022-01-19 11:38:35 UTC 
SOC updates released, back to security team.
Comment 13 Swamp Workflow Management 2023-01-03 14:22:59 UTC 
openSUSE-SU-2023:0005-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1185713,1186608,1186611,1193240,1194115,1194116,1194117,1195086,1195088,1198297,1198398,1198399,1201923,1203793
CVE References: CVE-2021-32052,CVE-2021-33203,CVE-2021-33571,CVE-2021-44420,CVE-2021-45115,CVE-2021-45116,CVE-2021-45452,CVE-2022-22818,CVE-2022-23833,CVE-2022-28346,CVE-2022-28347,CVE-2022-36359,CVE-2022-41323
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    python-Django-2.2.28-bp153.2.3.1
Comment 14 Marcus Meissner 2024-04-26 13:46:35 UTC 
released