CVE-2024-38875: Potential denial-of-service vulnerability in django.utils.html.urlize()¶

urlize and urlizetrunc were subject to a potential denial-of-service attack via certain inputs with a very large number of brackets.

CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords¶

The authenticate() method allowed remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords.

CVE-2024-39330: Potential directory-traversal via Storage.save()¶

Derived classes of the Storage base class which override generate_filename() without replicating the file path validations existing in the parent class, allowed for potential directory-traversal via certain inputs when calling save().

Built-in Storage sub-classes were not affected by this vulnerability.

CVE-2024-39614: Potential denial-of-service vulnerability in get_supported_language_variant()¶

get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.

To mitigate this vulnerability, the language code provided to get_supported_language_variant() is now parsed up to a maximum length of 500 characters.

When the language code is over 500 characters, a ValueError will now be raised if strict is True, or if there is no generic variant and strict is False.

Bugfixes¶

• Fixed a bug in Django 5.0 that caused a crash of Model.full_clean() on unsaved model instances with a GeneratedField and certain defined Meta.constraints (#35560).