CVE-2023-23969Allocation of Resources Without Limits or Throttling in Django

CWE-770Allocation of Resources Without Limits or ThrottlingCWE-400Uncontrolled Resource Consumption9 documents7 sources
Severity
7.5HIGHNVD
EPSS
6.1%
top 9.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Djangoproject DjangoDebian Linux
Timeline
PublishedFeb 1

Description

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDdjangoproject/django3.23.2.17+2
PyPIdjangoproject/django3.2a13.2.17+2

Also affects: Debian Linux 10.0

Patches

Patch: docs.djangoproject.comPatch: docs.djangoproject.com

🔴Vulnerability Details

4
CVEList
CVE-2023-23969: In Django 32023-02-01
OSV
CVE-2023-23969: In Django 32023-02-01
GHSA
Django contains Uncontrolled Resource Consumption via cached header2023-02-01
OSV
Django contains Uncontrolled Resource Consumption via cached header2023-02-01

📋Vendor Advisories

4
Red Hat
python-django: Potential denial-of-service via Accept-Language headers2023-02-01
Ubuntu
Django vulnerability2023-02-01
Ubuntu
Django vulnerability2023-02-01
Debian
CVE-2023-23969: python-django - In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed ...2023
CVE-2023-23969 — Djangoproject Django vulnerability | cvebase