{"id":"PYSEC-2024-86","details":"Wagtail is an open source content management system built on Django. A bug in Wagtail's `parse_query_string` would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string` would take an unexpectedly large amount of time to process, resulting in a denial of service. In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses `parse_query_string`, it may be exploitable by other users (e.g. unauthenticated users). Patched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.\n","aliases":["CVE-2024-39317","GHSA-jmp3-39vp-fwg8"],"modified":"2024-09-19T19:57:23.689301Z","published":"2024-07-11T16:15:00Z","references":[{"type":"ADVISORY","url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-jmp3-39vp-fwg8"},{"type":"FIX","url":"https://github.com/wagtail/wagtail/commit/31b1e8532dfb1b70d8d37d22aff9cbde9109cdf2"},{"type":"FIX","url":"https://github.com/wagtail/wagtail/commit/3c941136f79c48446e3858df46e5b668d7f83797"},{"type":"FIX","url":"https://github.com/wagtail/wagtail/commit/b783c096b6d4fd2cfc05f9137a0be288850e99a2"}],"affected":[{"package":{"name":"wagtail","ecosystem":"PyPI","purl":"pkg:pypi/wagtail"},"ranges":[{"type":"GIT","repo":"https://github.com/wagtail/wagtail","events":[{"introduced":"0"},{"fixed":"31b1e8532dfb1b70d8d37d22aff9cbde9109cdf2"},{"fixed":"3c941136f79c48446e3858df46e5b668d7f83797"},{"fixed":"b783c096b6d4fd2cfc05f9137a0be288850e99a2"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.1"},{"fixed":"6.1.3"},{"introduced":"6.0"},{"fixed":"6.0.6"},{"introduced":"2.0"},{"fixed":"5.2.6"}]}],"versions":["2.0","2.0.1","2.0.2","2.1","2.1.1","2.1.2","2.1.3","2.10","2.10.1","2.10.2","2.10rc1","2.10rc2","2.11","2.11.1","2.11.2","2.11.3","2.11.4","2.11.5","2.11.6","2.11.7","2.11.8","2.11.9","2.11rc1","2.12","2.12.1","2.12.2","2.12.3","2.12.4","2.12.5","2.12.6","2.12rc1","2.13","2.13.1","2.13.2","2.13.3","2.13.4","2.13.5","2.13rc1","2.13rc2","2.13rc3","2.14","2.14.1","2.14.2","2.14rc1","2.15","2.15.1","2.15.2","2.15.3","2.15.4","2.15.5","2.15.6","2.15rc1","2.15rc2","2.16","2.16.1","2.16.2","2.16.3","2.16rc1","2.16rc2","2.1rc1","2.1rc2","2.2","2.2.1","2.2.2","2.2rc1","2.2rc2","2.3","2.3rc1","2.3rc2","2.4","2.4rc1","2.5","2.5.1","2.5.2","2.5rc1","2.6","2.6.1","2.6.2","2.6.3","2.6rc1","2.7","2.7.1","2.7.2","2.7.3","2.7.4","2.7rc1","2.7rc2","2.8","2.8.1","2.8.2","2.8rc1","2.9","2.9.1","2.9.2","2.9.3","2.9rc1","3.0","3.0.1","3.0.2","3.0.3","3.0rc1","3.0rc2","3.0rc3","4.0","4.0.1","4.0.2","4.0.3","4.0.4","4.0rc1","4.0rc2","4.1","4.1.1","4.1.2","4.1.3","4.1.4","4.1.5","4.1.6","4.1.7","4.1.8","4.1.9","4.1rc1","4.2","4.2.1","4.2.2","4.2.3","4.2.4","4.2rc1","5.0","5.0.1","5.0.2","5.0.3","5.0.4","5.0.5","5.0rc1","5.1","5.1.1","5.1.2","5.1.3","5.1rc1","5.2","5.2.1","5.2.2","5.2.3","5.2.4","5.2.5","5.2rc1","6.0","6.0.1","6.0.2","6.0.3","6.0.4","6.0.5","6.1","6.1.1","6.1.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2024-86.yaml"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"}]}