Submeter #857925: django-tastypie 0.15.1 at commit 03c4746f0a0f88628be5264bc8d4a19a0529b2f4 CWE-362 Concurrent Execution using Shared Resource with Improperinformação

Títulodjango-tastypie 0.15.1 at commit 03c4746f0a0f88628be5264bc8d4a19a0529b2f4 CWE-362 Concurrent Execution using Shared Resource with Improper
Descriçãodjango-tastypie 0.15.1 contains a conditional rate limit bypass in CacheThrottle and CacheDBThrottle. CacheThrottle.should_be_throttled() reads a timestamp list from Django cache, filters it, writes it back, and decides whether the identifier is over the limit. CacheThrottle.accessed() later reads the same list, appends the current timestamp, and writes it back. Resource.dispatch() calls throttle_check() before executing the request handler and log_throttled_access() after the handler, leaving a race window where concurrent requests can all observe the same under-limit state and pass before any request is recorded. The issue requires an application to configure CacheThrottle or CacheDBThrottle with a cache backend shared by concurrent workers. Under those conditions, attackers can exceed configured API throttle limits. Remediation should use atomic cache/backend operations, such as Redis counters, compare-and-set, Lua scripts, or a per-identifier lock around check and accounting.
Fonte⚠️ https://github.com/django-tastypie/django-tastypie/issues/1700
Utilizador
 Galaxyn (UID 98388)
Submissão13/06/2026 12h56 (há 1 mês)
Moderação18/07/2026 10h27 (1 month later)
EstadoAceite
Entrada VulDB380024 [django-tastypie até 0.15.1 tastypie/throttle.py CacheThrottle/CacheDBThrottle Condição de Corrida]
Pontos20

Do you know our Splunk app?

Download it now for free!