Lucene search
MprogrammerH1:2258758HistoryNov 20, 2023 - 9:21 p.m.
Internet Bug Bounty: CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows
2023-11-2021:21:35
mprogrammer
hackerone.com
$2540
64
denial of service
usernamefield
windows
django
vulnerability
bugbounty
In Django versions before 4.2.7, 4.1.13, and 3.2.23, I sent a POST request to the admin login page using Burp Suite, editing the request to send over 1 million invalid unicode characters to my local web server running Django. (I used: “¾”)
After submitting, a single request took 4.4 seconds on average.
When I sent 20 concurrent requests, then I got 60 second wait times, and 504 gateway timeout errors on my machine.
{F2871465}
Normal ascii characters don’t do this and the page loads instantly.
Impact
Denial of Service anywhere a form contains a UsernameField that checks for errors.
Related
prion
prion
Code injection
2023-11-02 06:15:00
osv
osv
BIT-django-2023-46695
2024-03-06 10:51:16
Django potential denial of service vulnerability in UsernameField on Windows
2023-11-02 06:30:25
PYSEC-2023-222
2023-11-02 06:15:00
veracode
veracode
Denial Of Service (DoS)
2023-11-03 04:15:49
cve
cve
CVE-2023-46695
2023-11-02 06:15:08
ubuntucve
ubuntucve
CVE-2023-46695
2023-11-02 00:00:00
openvas
openvas
Django < 3.2.23, 4.1.x < 4.1.13, 4.2.x < 4.2.7 DoS Vulnerability - Windows
2023-11-07 00:00:00
github
github
cvelist
cvelist
CVE-2023-46695
2023-11-02 00:00:00
redhatcve
redhatcve
CVE-2023-46695
2023-11-01 16:33:28
debiancve
debiancve
CVE-2023-46695
2023-11-02 06:15:08
redos
redos
ROS-20240730-12
2024-07-30 00:00:00
nvd
nvd
CVE-2023-46695
2023-11-02 06:15:08
