PYSEC-2023-13

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2023-13.yaml

Aliases

BIT-django-2023-24580
CVE-2023-24580
GHSA-2hrw-hx67-34x6

Published

2023-02-15T01:15:00Z

Modified

2023-12-06T01:02:52.536863Z

Summary

[none]

Details

An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.

References

https://docs.djangoproject.com/en/4.1/releases/security/
https://www.djangoproject.com/weblog/2023/feb/14/security-releases/
http://www.openwall.com/lists/oss-security/2023/02/14/1
https://groups.google.com/forum/#!forum/django-announce

Affected packages

PyPI / django

Package

Name: django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.2

Fixed

3.2.18

Introduced

4.0

Fixed

4.0.10

Introduced

4.1

Fixed

4.1.7

Affected versions

3.*

3.2

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

3.2.10

3.2.11

3.2.12

3.2.13

3.2.14

3.2.15

3.2.16

3.2.17

4.*

4.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.1

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6