CVE-2023-23969
published 2023-02-01CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive…
PriorityP353high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
47.10%
98.7th percentile
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | python-django | < python-django 3:3.2.17-1 (bookworm) | python-django 3:3.2.17-1 (bookworm) |
| djangoproject | django | >= 3.2 < 3.2.17 | 3.2.17 |
| djangoproject | django | >= 3.2a1 < 3.2.17 | 3.2.17 |
| djangoproject | django | >= 4.0 < 4.0.9 | 4.0.9 |
| djangoproject | django | >= 4.0a1 < 4.0.9 | 4.0.9 |
| djangoproject | django | >= 4.1 < 4.1.6 | 4.1.6 |
| djangoproject | django | >= 4.1a1 < 4.1.6 | 4.1.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
python-django: Potential denial-of-service via Accept-Language headers
vendor_redhat·2023-02-01·CVSS 7.5
CVE-2023-23969 [HIGH] CWE-400 python-django: Potential denial-of-service via Accept-Language headers
python-django: Potential denial-of-service via Accept-Language headers
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
A flaw was found in python-django. The parsed values of the Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial of service vector via excessive memory usage if large header values are sent.
Package: python-django (Red Hat Ansible Automation Platform 2) - Affected
Package: python-django (Red Hat Ceph Storage 3) - Out of support scope
Package: python-django (Red Hat Ope
Ubuntu
Django vulnerability
vendor_ubuntu·2023-02-01
CVE-2023-23969 Django vulnerability
Title: Django vulnerability
Summary: Django could be made to consume memory if it received specially crafted
network traffic.
Nick Pope discovered that Django incorrectly handled certain
Accept-Language headers. A remote attacker could possibly use this issue to
cause Django to consume memory, leading to a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Django vulnerability
vendor_ubuntu·2023-02-01
CVE-2023-23969 Django vulnerability
Title: Django vulnerability
Summary: Django could be made to consume memory if it received specially crafted
network traffic.
USN-5837-1 fixed a vulnerability in Django. This update provides
the corresponding update for Ubuntu 16.04 ESM.
Original advisory details:
Nick Pope discovered that Django incorrectly handled certain
Accept-Language headers. A remote attacker could possibly use this issue to
cause Django to consume memory, leading to a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2023-23969: python-django - In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed ...
vendor_debian·2023·CVSS 7.5
CVE-2023-23969 [HIGH] CVE-2023-23969: python-django - In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed ...
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
Scope: local
bookworm: resolved (fixed in 3:3.2.17-1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u2)
forky: resolved (fixed in 3:3.2.17-1)
sid: resolved (fixed in 3:3.2.17-1)
trixie: resolved (fixed in 3:3.2.17-1)
OSV
CVE-2023-23969: In Django 3
osv·2023-02-01·CVSS 7.5
CVE-2023-23969 [HIGH] CVE-2023-23969: In Django 3
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
GHSA
Django contains Uncontrolled Resource Consumption via cached header
ghsa·2023-02-01
CVE-2023-23969 [HIGH] CWE-400 Django contains Uncontrolled Resource Consumption via cached header
Django contains Uncontrolled Resource Consumption via cached header
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
OSV
Django contains Uncontrolled Resource Consumption via cached header
osv·2023-02-01
CVE-2023-23969 [HIGH] Django contains Uncontrolled Resource Consumption via cached header
Django contains Uncontrolled Resource Consumption via cached header
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://docs.djangoproject.com/en/4.1/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.debian.org/debian-lts-announce/2023/02/msg00000.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/https://security.netapp.com/advisory/ntap-20230302-0007/https://www.djangoproject.com/weblog/2023/feb/01/security-releases/https://docs.djangoproject.com/en/4.1/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.debian.org/debian-lts-announce/2023/02/msg00000.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/https://security.netapp.com/advisory/ntap-20230302-0007/https://www.djangoproject.com/weblog/2023/feb/01/security-releases/
2023-02-01
Published