CVE-2023-24580 — Uncontrolled Resource Consumption in Django

CWE-400 — Uncontrolled Resource Consumption8 documents7 sources

Severity

7.5HIGHNVD

EPSS

25.4%

top 3.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django Debian Linux

Timeline

PublishedFeb 15

Description

An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDdjangoproject/django3.2 — 3.2.18+2

▶PyPIdjangoproject/django3.2a1 — 3.2.18+2

Also affects: Debian Linux 10.0

Patches

Patch: docs.djangoproject.com ↗Patch: www.djangoproject.com ↗Patch: docs.djangoproject.com ↗

🔴Vulnerability Details

GHSA

Resource exhaustion in Django↗2023-02-15

▶

OSV

Resource exhaustion in Django↗2023-02-15

▶

OSV

CVE-2023-24580: An issue was discovered in the Multipart Request Parser in Django 3↗2023-02-15

▶

CVEList

CVE-2023-24580: An issue was discovered in the Multipart Request Parser in Django 3↗2023-02-15

▶

📋Vendor Advisories

Red Hat

python-django: Potential denial-of-service vulnerability in file uploads↗2023-02-14

▶

Ubuntu

Django vulnerability↗2023-02-14

▶

Debian

CVE-2023-24580: python-django - An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2...↗2023

▶