GoogleOSV:GHSA-Q2JF-H9JM-M7P4Django contains Uncontrolled Resource Consumption via cached header
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
86.8%
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
References
docs.djangoproject.com/en/4.1/releases/security
github.com/django/django/commit/4452642f193533e288a52c02efb5bbc766a68f95
github.com/django/django/commit/9d7bd5a56b1ce0576e8e07a8001373576d277942
github.com/django/django/commit/c7e0151fdf33e1b11d488b6f67b94fdf3a30614a
groups.google.com/forum/#!forum/django-announce
lists.debian.org/debian-lts-announce/2023/02/msg00000.html
lists.fedoraproject.org/archives/list/[email protected]/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK
lists.fedoraproject.org/archives/list/[email protected]/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI
nvd.nist.gov/vuln/detail/CVE-2023-23969
security.netapp.com/advisory/ntap-20230302-0007
www.djangoproject.com/weblog/2023/feb/01/security-releases
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
86.8%