CVE-2022-23833 — Infinite Loop in Django

CWE-835 — Infinite Loop11 documents7 sources

Severity

7.5HIGHNVD

OSV6.1

EPSS

3.6%

top 12.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django Debian Linux Fedoraproject Fedora

Timeline

PublishedFeb 3

Latest updateFeb 7

Description

An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDdjangoproject/django2.2 — 2.2.27+2

▶PyPIdjangoproject/django2.2 — 2.2.27+2

Also affects: Debian Linux 11.0, Fedora 34, 35

Patches

Patch: docs.djangoproject.com ↗Patch: www.djangoproject.com ↗Patch: docs.djangoproject.com ↗

🔴Vulnerability Details

OSV

python-django vulnerabilities↗2022-02-07

▶

GHSA

Infinite Loop in Django↗2022-02-04

▶

OSV

Infinite Loop in Django↗2022-02-04

▶

CVEList

CVE-2022-23833: An issue was discovered in MultiPartParser in Django 2↗2022-02-03

▶

OSV

CVE-2022-23833: An issue was discovered in MultiPartParser in Django 2↗2022-02-03

▶

📋Vendor Advisories

Ubuntu

Django vulnerabilities↗2022-02-07

▶

Ubuntu

Django vulnerabilities↗2022-02-03

▶

Red Hat

django: Denial-of-service possibility in file uploads↗2022-02-01

▶

Debian

CVE-2022-23833: python-django - An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 befo...↗2022

▶