Executive Summary
| Informations | |||
|---|---|---|---|
| Name | CVE-2010-4535 | First vendor Publication | 2011-01-10 |
| Vendor | Cve | Last vendor Modification | 2024-11-21 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 5 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer. |
Original Source
| Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4535 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-20 | Improper Input Validation |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:13124 | |||
| Oval ID: | oval:org.mitre.oval:def:13124 | ||
| Title: | USN-1040-1 -- python-django vulnerabilities | ||
| Description: | Adam Baldwin discovered that Django did not properly validate query string lookups. This could be exploited to provide an information leak to an attacker with admin privilieges. Paul McMillan discovered that Django did not validate the length of the token used when generating a password reset. An attacker could exploit this to cause a denial of service via resource exhaustion | ||
| Family: | unix | Class: | patch |
| Reference(s): | USN-1040-1 CVE-2010-4534 CVE-2010-4535 | Version: | 5 |
| Platform(s): | Ubuntu 10.10 Ubuntu 9.10 Ubuntu 10.04 | Product(s): | python-django |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2011-01-14 | Name : Fedora Update for Django FEDORA-2011-0096 File : nvt/gb_fedora_2011_0096_Django_fc13.nasl |
| 2011-01-14 | Name : Fedora Update for Django FEDORA-2011-0120 File : nvt/gb_fedora_2011_0120_Django_fc14.nasl |
| 2011-01-11 | Name : Ubuntu Update for python-django vulnerabilities USN-1040-1 File : nvt/gb_ubuntu_USN_1040_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 70160 | Django django.contrib.auth Multiple Crafted Password Reset Token Remote DoS Django contains a flaw that may allow a remote denial of service. The issue is triggered when the 'django.contrib.auth' authentication support fails to properly restrict the maximum size of the base36 integer part of password reset tokens. This may be exploited by using multiple crafted password reset tokens to cause a denial of service via high CPU consumption. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2011-01-14 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0096.nasl - Type : ACT_GATHER_INFO |
| 2011-01-14 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0120.nasl - Type : ACT_GATHER_INFO |
| 2011-01-07 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1040-1.nasl - Type : ACT_GATHER_INFO |
| 2010-12-30 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_14a37474138311e08a5800215c6a37bb.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
| Date | Informations |
|---|---|
| 2024-11-28 23:06:26 |
|
| 2024-11-28 12:23:49 |
|
| 2021-05-05 01:07:47 |
|
| 2021-05-04 12:13:13 |
|
| 2021-04-22 01:13:38 |
|
| 2020-05-23 01:43:11 |
|
| 2020-05-23 00:27:03 |
|
| 2016-04-26 20:17:33 |
|
| 2014-02-17 10:58:58 |
|
| 2013-05-10 23:38:40 |
|
