CVE-2024-39317
MEDIUMWagtail 2.0-5.2.5, 6.0-6.0.5 - Denial of Service via parse_query_string Inefficient Regular Expression
Title source: llmDescription
Wagtail is an open source content management system built on Django. A bug in Wagtail's `parse_query_string` would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string` would take an unexpectedly large amount of time to process, resulting in a denial of service. In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses `parse_query_string`, it may be exploitable by other users (e.g. unauthenticated users). Patched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/wagtail/wagtail/security/advisories/GHSA-jmp3-39vp-fwg8
Patch x_refsource_misc
https://github.com/wagtail/wagtail/commit/31b1e8532dfb1b70d8d37d22aff9cbde9109cdf2
Patch x_refsource_misc
https://github.com/wagtail/wagtail/commit/3c941136f79c48446e3858df46e5b668d7f83797
Scores
CVSS v3
6.5
EPSS
0.0061
EPSS Percentile
44.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-1333
Status
published
Products (5)
pypi/wagtail
2.0 - 5.2.6PyPI
pypi/wagtail
6.0 - 6.0.6PyPI
pypi/wagtail
6.1 - 6.1.3PyPI
torchbox/wagtail
2.0 - 5.2.6
wagtail/wagtail
2.0 - 5.2.6
Published
Jul 11, 2024
Tracked Since
Feb 18, 2026