{"id":"PYSEC-2021-64","details":"django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter before version 2.4.0, automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. In addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade.","aliases":["CVE-2020-15225","GHSA-x7gm-rfgv-w973"],"modified":"2023-11-08T04:02:34.315369Z","published":"2021-04-29T21:15:00Z","references":[{"type":"ADVISORY","url":"https://github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973"},{"type":"FIX","url":"https://github.com/carltongibson/django-filter/commit/340cf7a23a2b3dcd7183f6a0d6c383e85b130d2b"},{"type":"PACKAGE","url":"https://pypi.org/project/django-filter/"},{"type":"WEB","url":"https://github.com/carltongibson/django-filter/releases/tag/2.4.0"}],"affected":[{"package":{"name":"django-filter","ecosystem":"PyPI","purl":"pkg:pypi/django-filter"},"ranges":[{"type":"GIT","repo":"https://github.com/carltongibson/django-filter","events":[{"introduced":"0"},{"fixed":"340cf7a23a2b3dcd7183f6a0d6c383e85b130d2b"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.0"}]}],"versions":["0.1.0","0.2.0","0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.6a1","0.6","0.7","0.8","0.9.0","0.9.1","0.9.2","0.10.0","0.11.0","0.12.0","0.13.0","0.14.0","0.15.0","0.15.1","0.15.2","0.15.3","1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","2.0.0.dev1","2.0.0","2.1.0","2.2.0","2.3.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/django-filter/PYSEC-2021-64.yaml"}}],"schema_version":"1.7.3"}