CVE-2012-3443 — Improper Input Validation in Django

CWE-20 — Improper Input Validation CWE-400 — Uncontrolled Resource Consumption10 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

1.4%

top 19.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedJul 31

Latest updateMay 17

Description

The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶PyPIdjangoproject/django1.4 — 1.4.1+1

▶NVDdjangoproject/django1.3+18

Patches

Patch: www.djangoproject.com ↗Patch: www.djangoproject.com ↗

🔴Vulnerability Details

OSV

Django Image Field Vulnerable to Image Decompression Bombs↗2022-05-17

▶

GHSA

Django Image Field Vulnerable to Image Decompression Bombs↗2022-05-17

▶

OSV

CVE-2012-3443: The django↗2012-07-31

▶

CVEList

CVE-2012-3443: The django↗2012-07-31

▶

📋Vendor Advisories

Ubuntu

Django vulnerabilities↗2012-09-10

▶

Debian

CVE-2012-3443: python-django - The django.forms.ImageField class in the form system in Django before 1.3.2 and ...↗2012

▶

💬Community

Bugzilla

CVE-2012-3443 Django: 1.3.1 and 1.4.0 Denial-of-service in image validation [fedora-all]↗2012-07-31

▶

Bugzilla

CVE-2012-3443 Django: 1.3.1 and 1.4.0 Denial-of-service in image validation↗2012-07-31

▶

Bugzilla

CVE-2012-3443 Django: 1.3.1 and 1.4.0 Denial-of-service in image validation [epel-all]↗2012-07-31

▶