py-django: memory exhaustion in django.utils.numberformat.format() (CVE-2019-6975)
A vulnerability was found in Django before versions 2.2b1, 2.1.6, 2.0.11, 1.11.19. If django.utils.numberformat.format(), used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters, received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to ‘{:f}’.format(). To avoid this, decimals with more than 200 digits are now formatted using scientific notation.
References:
https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
https://nvd.nist.gov/vuln/detail/CVE-2019-6975
(from redmine: issue id 10002, created on 2019-02-21, closed on 2019-03-05)
- Relations:
- child #10003 (closed)
- child #10004 (closed)
- child #10005 (closed)
- child #10006 (closed)
- child #10007 (closed)