mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat.

Browse Source 
Thanks Elias Myllymäki for the report.

Co-authored-by: Shai Berger <shai@platonix.com>
This commit is contained in:
Sarah Boyce
2024-07-12 11:38:34 +02:00
parent 8deb6bb1fc
commit c19465ad87
4 changed files with 48 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/releases/4.2.15.txt
View File

@@ -7,6 +7,15 @@ Django 4.2.15 release notes
Django 4.2.15 fixes three security issues with severity "moderate", one
security issue with severity "high", and a regression in 4.2.14.
CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
================================================================================
If :tfilter:`floatformat` received a string representation of a number in
scientific notation with a large exponent, it could lead to significant memory
consumption.
To avoid this, decimals with more than 200 digits are now returned as is.
Bugfixes
========