GoogleOSV:GHSA-2HRW-HX67-34X6Resource exhaustion in Django
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
60.8%
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.
References
www.openwall.com/lists/oss-security/2023/02/14/1
docs.djangoproject.com/en/4.1/releases/security
github.com/django/django
github.com/django/django/commit/628b33a854a9c68ec8a0c51f382f304a0044ec92
github.com/django/django/commit/83f1ea83e4553e211c1c5a0dfc197b66d4e50432
github.com/django/django/commit/a665ed5179f5bbd3db95ce67286d0192eff041d8
groups.google.com/forum/#!forum/django-announce
lists.debian.org/debian-lts-announce/2023/02/msg00023.html
lists.fedoraproject.org/archives/list/[email protected]/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B
lists.fedoraproject.org/archives/list/[email protected]/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK
lists.fedoraproject.org/archives/list/[email protected]/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI
lists.fedoraproject.org/archives/list/[email protected]/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77
lists.fedoraproject.org/archives/list/[email protected]/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP
nvd.nist.gov/vuln/detail/CVE-2023-24580
security.netapp.com/advisory/ntap-20230316-0006
www.djangoproject.com/weblog/2023/feb/14/security-releases
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
60.8%