CVE-2012-3443
published 2012-07-31CVE-2012-3443: The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation…
PriorityP419medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
2.64%
83.7th percentile
The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1.4.1-1 (bookworm) | python-django 1.4.1-1 (bookworm) |
| djangoproject | django | <= 1.3 | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 0 < 1.3.2 | 1.3.2 |
| djangoproject | django | >= 1.4 < 1.4.1 | 1.4.1 |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Django Image Field Vulnerable to Image Decompression Bombs
osv·2022-05-17
CVE-2012-3443 [HIGH] Django Image Field Vulnerable to Image Decompression Bombs
Django Image Field Vulnerable to Image Decompression Bombs
The `django.forms.ImageField` class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.
GHSA
Django Image Field Vulnerable to Image Decompression Bombs
ghsa·2022-05-17
CVE-2012-3443 [HIGH] CWE-20 Django Image Field Vulnerable to Image Decompression Bombs
Django Image Field Vulnerable to Image Decompression Bombs
The `django.forms.ImageField` class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.
OSV
CVE-2012-3443: The django
osv·2012-07-31·CVSS 5.0
CVE-2012-3443 [MEDIUM] CVE-2012-3443: The django
The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2012-09-10·CVSS 4.3
CVE-2012-3442 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Applications using Django could be made to crash or expose sensitive
information.
It was discovered that Django incorrectly validated the scheme of a
redirect target. If a user were tricked into opening a specially crafted
URL, an attacker could possibly exploit this to conduct cross-site
scripting (XSS) attacks. (CVE-2012-3442)
It was discovered that Django incorrectly handled validating certain
images. A remote attacker could use this flaw to cause the server to
consume memory, leading to a denial of service. (CVE-2012-3443)
Jeroen Dekkers discovered that Django incorrectly handled certain image
dimensions. A remote attacker could use this flaw to cause the server to
consume resources, leading to a denial of service. (CVE-2012-3444)
Instruction
Debian
CVE-2012-3443: python-django - The django.forms.ImageField class in the form system in Django before 1.3.2 and ...
vendor_debian·2012·CVSS 5.0
CVE-2012-3443 [MEDIUM] CVE-2012-3443: python-django - The django.forms.ImageField class in the form system in Django before 1.3.2 and ...
The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.
Scope: local
bookworm: resolved (fixed in 1.4.1-1)
bullseye: resolved (fixed in 1.4.1-1)
forky: resolved (fixed in 1.4.1-1)
sid: resolved (fixed in 1.4.1-1)
trixie: resolved (fixed in 1.4.1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-3443 Django: 1.3.1 and 1.4.0 Denial-of-service in image validation [fedora-all]
bugzilla·2012-07-31·CVSS 5.0
CVE-2012-3443 [MEDIUM] CVE-2012-3443 Django: 1.3.1 and 1.4.0 Denial-of-service in image validation [fedora-all]
CVE-2012-3443 Django: 1.3.1 and 1.4.0 Denial-of-service in image validation [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?t
Bugzilla
CVE-2012-3443 Django: 1.3.1 and 1.4.0 Denial-of-service in image validation
bugzilla·2012-07-31·CVSS 5.0
CVE-2012-3443 [MEDIUM] CVE-2012-3443 Django: 1.3.1 and 1.4.0 Denial-of-service in image validation
CVE-2012-3443 Django: 1.3.1 and 1.4.0 Denial-of-service in image validation
James Bennett of the Django Project reports:
Security releases issued
Today the Django team is issuing multiple releases -- Django 1.3.2 and
Django 1.4.1 -- to remedy security issues reported to us.
All users are encouraged to upgrade Django immediately.
Denial-of-service in image validation
Django's form system includes field types for handling file uploads,
including a field class -- django.forms.ImageField -- for uploading
images, which can perform some validation of image formats.
Part of that validation involves detecting corrupted image files,
using routines provided by the Python Imaging Library (PIL).
The check as it currently exists in Django is vulnerable, however,
because it will read the entire
Bugzilla
CVE-2012-3443 Django: 1.3.1 and 1.4.0 Denial-of-service in image validation [epel-all]
bugzilla·2012-07-31·CVSS 5.0
CVE-2012-3443 [MEDIUM] CVE-2012-3443 Django: 1.3.1 and 1.4.0 Denial-of-service in image validation [epel-all]
CVE-2012-3443 Django: 1.3.1 and 1.4.0 Denial-of-service in image validation [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?typ
http://www.debian.org/security/2012/dsa-2529http://www.mandriva.com/security/advisories?name=MDVSA-2012:143http://www.openwall.com/lists/oss-security/2012/07/31/1http://www.openwall.com/lists/oss-security/2012/07/31/2http://www.ubuntu.com/usn/USN-1560-1https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/http://www.debian.org/security/2012/dsa-2529http://www.mandriva.com/security/advisories?name=MDVSA-2012:143http://www.openwall.com/lists/oss-security/2012/07/31/1http://www.openwall.com/lists/oss-security/2012/07/31/2http://www.ubuntu.com/usn/USN-1560-1https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
2012-07-31
Published