Lucene search

K

GoogleOSV:CVE-2023-23969

HistoryFeb 01, 2023 - 7:15 p.m.

CVE-2023-23969

2023-02-0119:15:08

Google

osv.dev

10

django

security vulnerability

denial of service

memory usage

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.3

Confidence

High

EPSS

0.014

Percentile

86.8%

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.

References

docs.djangoproject.com/en/4.1/releases/security/

groups.google.com/forum/#%21forum/django-announce

lists.debian.org/debian-lts-announce/2023/02/msg00000.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/

security.netapp.com/advisory/ntap-20230302-0007/

www.djangoproject.com/weblog/2023/feb/01/security-releases/

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.3

Confidence

High

EPSS

0.014

Percentile

86.8%

Related for OSV:CVE-2023-23969

openvas10 cvelist1 nessus12 debiancve1 ubuntu2 alpinelinux1 veracode1 osv10 cve1 freebsd1 debian2 prion1 nvd1 redhatcve1 ubuntucve1 github1 mageia1 altlinux1 redhat2 fedora2 ibm1 rocky1