| शीर्षक | django-tastypie 0.15.1 at commit 03c4746f0a0f88628be5264bc8d4a19a0529b2f4 CWE-362 Concurrent Execution using Shared Resource with Improper |
|---|
| विवरण | django-tastypie 0.15.1 contains a conditional rate limit bypass in CacheThrottle and CacheDBThrottle. CacheThrottle.should_be_throttled() reads a timestamp list from Django cache, filters it, writes it back, and decides whether the identifier is over the limit. CacheThrottle.accessed() later reads the same list, appends the current timestamp, and writes it back. Resource.dispatch() calls throttle_check() before executing the request handler and log_throttled_access() after the handler, leaving a race window where concurrent requests can all observe the same under-limit state and pass before any request is recorded. The issue requires an application to configure CacheThrottle or CacheDBThrottle with a cache backend shared by concurrent workers. Under those conditions, attackers can exceed configured API throttle limits. Remediation should use atomic cache/backend operations, such as Redis counters, compare-and-set, Lua scripts, or a per-identifier lock around check and accounting. |
|---|
| स्रोत | ⚠️ https://github.com/django-tastypie/django-tastypie/issues/1700 |
|---|
| उपयोगकर्ता | Galaxyn (UID 98388) |
|---|
| सबमिशन | 13/06/2026 12:56 PM (1 महीना पहले) |
|---|
| संयम | 18/07/2026 10:27 AM (1 month later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 380024 [django-tastypie तक 0.15.1 tastypie/throttle.py CacheThrottle/CacheDBThrottle रेस कंडीशन] |
|---|
| अंक | 20 |
|---|