Wagtail bug could lead to denial of service
CVE-2024-39317

4.9MEDIUM

Key Information:

Vendor

Wagtail

Status
Wagtail
Vendor
CVE Published:
11 July 2024

What is CVE-2024-39317?

Wagtail is an open source content management system built on Django. A bug in Wagtail's parse_query_string would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, parse_query_string would take an unexpectedly large amount of time to process, resulting in a denial of service. In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses parse_query_string, it may be exploitable by other users (e.g. unauthenticated users). Patched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.

Affected Version(s)

wagtail >= 2.0, < 5.2.6 < 2.0, 5.2.6

wagtail >= 6.0, < 6.0.6 < 6.0, 6.0.6

wagtail >= 6.1, < 6.1.3 < 6.1, 6.1.3

References

https://github.com/wagtail/wagtail/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/wagtail/wagtail/commit/31b1e8532dfb1b7...
x_refsource_MISC
https://github.com/wagtail/wagtail/commit/3c941136f79c484...
x_refsource_MISC

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.