提出 #857925: django-tastypie 0.15.1 at commit 03c4746f0a0f88628be5264bc8d4a19a0529b2f4 CWE-362 Concurrent Execution using Shared Resource with Improper情報

タイトルdjango-tastypie 0.15.1 at commit 03c4746f0a0f88628be5264bc8d4a19a0529b2f4 CWE-362 Concurrent Execution using Shared Resource with Improper
説明django-tastypie 0.15.1 contains a conditional rate limit bypass in CacheThrottle and CacheDBThrottle. CacheThrottle.should_be_throttled() reads a timestamp list from Django cache, filters it, writes it back, and decides whether the identifier is over the limit. CacheThrottle.accessed() later reads the same list, appends the current timestamp, and writes it back. Resource.dispatch() calls throttle_check() before executing the request handler and log_throttled_access() after the handler, leaving a race window where concurrent requests can all observe the same under-limit state and pass before any request is recorded. The issue requires an application to configure CacheThrottle or CacheDBThrottle with a cache backend shared by concurrent workers. Under those conditions, attackers can exceed configured API throttle limits. Remediation should use atomic cache/backend operations, such as Redis counters, compare-and-set, Lua scripts, or a per-identifier lock around check and accounting.
ソース⚠️ https://github.com/django-tastypie/django-tastypie/issues/1700
ユーザー
 Galaxyn (UID 98388)
送信2026年06月13日 12:56 (1 月 ago)
モデレーション2026年07月18日 10:27 (1 month later)
ステータス承諾済み
VulDBエントリ380024 [django-tastypie 迄 0.15.1 tastypie/throttle.py CacheThrottle/CacheDBThrottle 競合状態]
ポイント20

Want to know what is going to be exploited?

We predict KEV entries!