CVE-2024-39317: Wagtail regular expression denial-of-service via search query parsing

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-39317

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Wagtail regular expression denial-of-service via search query parsing

Source: NVD (National Vulnerability Database)

Vulnerability Description

Wagtail is an open source content management system built on Django. A bug in Wagtail's `parse_query_string` would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string` would take an unexpectedly large amount of time to process, resulting in a denial of service. In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses `parse_query_string`, it may be exploitable by other users (e.g. unauthenticated users). Patched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

CWE-1333

Source: NVD (National Vulnerability Database)

Vulnerability Title

Torchbox Wagtail 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Torchbox Wagtail是英国Torchbox公司的一套开源的内容管理系统（CMS）。 Torchbox Wagtail 5.2.6、6.0至6.0.5和6.1至6.1.2版本存在安全漏洞，该漏洞源于parse_query_string中存在一个错误，导致它需要很长时间来处理适当制作的输入，可能导致拒绝服务。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
wagtail	wagtail	>= 2.0, < 5.2.6	-

II. Public POCs for CVE-2024-39317

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2024-39317

Please Login to view more intelligence information

https://github.com/wagtail/wagtail/security/advisories/GHSA-jmp3-39vp-fwg8x_refsource_CONFIRM
https://github.com/wagtail/wagtail/commit/3c941136f79c48446e3858df46e5b668d7f83797x_refsource_MISC
https://github.com/wagtail/wagtail/commit/b783c096b6d4fd2cfc05f9137a0be288850e99a2x_refsource_MISC
https://github.com/wagtail/wagtail/commit/31b1e8532dfb1b70d8d37d22aff9cbde9109cdf2x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2024-39317

IV. Related Vulnerabilities

Same product: wagtail

Same vendor: wagtail

Same weakness: CWE-1333

V. Comments for CVE-2024-39317

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2024-39317

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2024-39317

III. Intelligence Information for CVE-2024-39317

IV. Related Vulnerabilities

V. Comments for CVE-2024-39317

Leave a comment