GoogleOSV:GHSA-QMF9-6JQF-J8FQDjango potential denial of service vulnerability in UsernameField on Windows
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
EPSS
Percentile
28.0%
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
References
docs.djangoproject.com/en/4.2/releases/security
github.com/django/django
github.com/django/django/commit/048a9ebb6ea468426cb4e57c71572cbbd975517f
github.com/django/django/commit/4965bfdde2e5a5c883685019e57d123a3368a75e
github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b
github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-222.yaml
groups.google.com/forum/#!forum/django-announce
groups.google.com/forum/#%21forum/django-announce
nvd.nist.gov/vuln/detail/CVE-2023-46695
security.netapp.com/advisory/ntap-20231214-0001
www.djangoproject.com/weblog/2023/nov/01/security-releases
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
EPSS
Percentile
28.0%