Moderate severityNVD Advisory· Published Jan 14, 2025· Updated Feb 12, 2025
CVE-2024-56374
CVE-2024-56374
Description
An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 5.1, < 5.1.5 | 5.1.5 |
DjangoPyPI | >= 5.0, < 5.0.11 | 5.0.11 |
DjangoPyPI | >= 4.2, < 4.2.18 | 4.2.18 |
djangoPyPI | >= 5.1, < 5.1.5 | 5.1.5 |
djangoPyPI | >= 5.0, < 5.0.11 | 5.0.11 |
djangoPyPI | >= 4.2, < 4.2.18 | 4.2.18 |
Affected products
29- osv-coords28 versionspkg:apk/chainguard/awxpkg:apk/chainguard/py3.10-djangopkg:apk/chainguard/py3.10-django-binpkg:apk/chainguard/py3.11-djangopkg:apk/chainguard/py3.11-django-binpkg:apk/chainguard/py3.12-djangopkg:apk/chainguard/py3.12-django-binpkg:apk/chainguard/py3.13-djangopkg:apk/chainguard/py3.13-django-binpkg:apk/chainguard/py3-djangopkg:apk/chainguard/py3-supported-djangopkg:apk/wolfi/py3.10-djangopkg:apk/wolfi/py3.10-django-binpkg:apk/wolfi/py3.11-djangopkg:apk/wolfi/py3.11-django-binpkg:apk/wolfi/py3.12-djangopkg:apk/wolfi/py3.12-django-binpkg:apk/wolfi/py3.13-djangopkg:apk/wolfi/py3.13-django-binpkg:apk/wolfi/py3-djangopkg:apk/wolfi/py3-supported-djangopkg:bitnami/djangopkg:pypi/djangopkg:rpm/opensuse/python-Django4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django6&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-Django&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Django&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 24.6.1-r3+ 27 more
- (no CPE)range: < 24.6.1-r3
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: < 5.1.5-r0
- (no CPE)range: >= 4.2.0, < 5.1.5
- (no CPE)range: >= 5.1, < 5.1.5
- (no CPE)range: < 4.2.18-1.1
- (no CPE)range: < 6.0-1.1
- (no CPE)range: < 4.2.11-150600.3.15.1
- (no CPE)range: < 5.1.5-1.1
- (no CPE)range: < 4.2.11-150600.3.15.1
- Range: 4.2
Patches
Vulnerability mechanics
References
14- github.com/advisories/GHSA-qcgg-j2x8-h9g8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-56374ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/01/14/2ghsaWEB
- docs.djangoproject.com/en/dev/releases/securityghsaWEB
- github.com/django/django/commit/4806731e58f3e8700a3c802e77899d54ac6021feghsaWEB
- github.com/django/django/commit/ad866a1ca3e7d60da888d25d27e46a8adb2ed36eghsaWEB
- github.com/django/django/commit/ca2be7724e1244a4cb723de40a070f873c6e94bfghsaWEB
- github.com/django/django/commit/e8d4a2005955dcf962193600b53bf461b190b455ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-1.yamlghsaWEB
- groups.google.com/g/django-announceghsaWEB
- lists.debian.org/debian-lts-announce/2025/01/msg00024.htmlghsaWEB
- www.djangoproject.com/weblog/2025/jan/14/security-releasesghsaWEB
- docs.djangoproject.com/en/dev/releases/security/mitre
- www.djangoproject.com/weblog/2025/jan/14/security-releases/mitre
News mentions
0No linked articles in our index yet.