CVE-2009-3695 - Vulnerability Details - OpenCVE

Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Djangoproject	Django

Configuration 1 [-]

OR	cpe:2.3:a:djangoproject:django:1.0:::::::*
	cpe:2.3:a:djangoproject:django:1.1:::::::*

No data.

References

Link	Providers
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457
http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/
http://secunia.com/advisories/36948
http://secunia.com/advisories/36968
http://www.debian.org/security/2009/dsa-1905
http://www.djangoproject.com/weblog/2009/oct/09/security/
http://www.openwall.com/lists/oss-security/2009/10/13/6
http://www.securityfocus.com/bid/36655
http://www.vupen.com/english/advisories/2009/2871
https://exchange.xforce.ibmcloud.com/vulnerabilities/53727

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2009-10-13T10:00:00

Updated: 2024-08-07T06:38:30.278Z

Reserved: 2009-10-13T00:00:00

Link: CVE-2009-3695

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2009-10-13T10:30:00.767

Modified: 2025-04-09T00:30:58.490

Link: CVE-2009-3695

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-10-09T00:00:00", "descriptions": [{"lang": "en", "value": "Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-16T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "36655", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/36655"}, {"name": "django-emailfield-urlfield-dos(53727)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53727"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.djangoproject.com/weblog/2009/oct/09/security/"}, {"name": "36948", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/36948"}, {"name": "36968", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/36968"}, {"name": "DSA-1905", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2009/dsa-1905"}, {"tags": ["x_refsource_MISC"], "url": "http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457"}, {"name": "[oss-security] 20091013 Re: Duplicate CVE assignment notification [was: CVE id request: django]", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2009/10/13/6"}, {"name": "ADV-2009-2871", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2009/2871"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-3695", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "36655", "refsource": "BID", "url": "http://www.securityfocus.com/bid/36655"}, {"name": "django-emailfield-urlfield-dos(53727)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53727"}, {"name": "http://www.djangoproject.com/weblog/2009/oct/09/security/", "refsource": "CONFIRM", "url": "http://www.djangoproject.com/weblog/2009/oct/09/security/"}, {"name": "36948", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36948"}, {"name": "36968", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36968"}, {"name": "DSA-1905", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2009/dsa-1905"}, {"name": "http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/", "refsource": "MISC", "url": "http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/"}, {"name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457", "refsource": "CONFIRM", "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457"}, {"name": "[oss-security] 20091013 Re: Duplicate CVE assignment notification [was: CVE id request: django]", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2009/10/13/6"}, {"name": "ADV-2009-2871", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/2871"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T06:38:30.278Z"}, "title": "CVE Program Container", "references": [{"name": "36655", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/36655"}, {"name": "django-emailfield-urlfield-dos(53727)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53727"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.djangoproject.com/weblog/2009/oct/09/security/"}, {"name": "36948", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/36948"}, {"name": "36968", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/36968"}, {"name": "DSA-1905", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2009/dsa-1905"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457"}, {"name": "[oss-security] 20091013 Re: Duplicate CVE assignment notification [was: CVE id request: django]", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2009/10/13/6"}, {"name": "ADV-2009-2871", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2009/2871"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-3695", "datePublished": "2009-10-13T10:00:00", "dateReserved": "2009-10-13T00:00:00", "dateUpdated": "2024-08-07T06:38:30.278Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "F9023348-07A7-46E8-B45A-CC19563C5961", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.1:*:*:*:*:*:*:*", "matchCriteriaId": "56846659-96C8-497C-8404-3975E5B6385B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression."}, {"lang": "es", "value": "Vulnerabilidad de complejidad algor\u00edtmica en la forma library en Django v1.0 anterior v1.0.4 y v1.1 anterior v1.1.1 permite a atacantes remotos causar una denegaci\u00f3n de servicio (consumo CPU( a trav\u00e9s de (1) EmailField (direcci\u00f3n email) o (2) URLField (URL)que provoca una gran cantidad de backtracking (vuelta a atr\u00e1s) en una expresi\u00f3n regular."}], "id": "CVE-2009-3695", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-10-13T10:30:00.767", "references": [{"source": "cve@mitre.org", "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457"}, {"source": "cve@mitre.org", "url": "http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/36948"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/36968"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2009/dsa-1905"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.djangoproject.com/weblog/2009/oct/09/security/"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2009/10/13/6"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/36655"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2009/2871"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53727"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/36948"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/36968"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2009/dsa-1905"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.djangoproject.com/weblog/2009/oct/09/security/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2009/10/13/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/36655"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2009/2871"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53727"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}