CVE-2023-31047
published 2023-05-07CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files…
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.38%
68.7th percentile
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:3.2.19-1 (bookworm) | python-django 3:3.2.19-1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | >= 3.2 < 3.2.19 | 3.2.19 |
| djangoproject | django | >= 3.2a1 < 3.2.19 | 3.2.19 |
| djangoproject | django | >= 4.0 < 4.1.9 | 4.1.9 |
| djangoproject | django | >= 4.0a1 < 4.1.9 | 4.1.9 |
| djangoproject | django | >= 4.2a1 < 4.2.1 | 4.2.1 |
| fedoraproject | fedora | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Django vulnerability
vendor_ubuntu·2023-05-25
CVE-2023-31047 Django vulnerability
Title: Django vulnerability
Summary: A Django hardening measure could be bypassed.
USN-6054-1 fixed a vulnerability in Django. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
Moataz Al-Sharida and nawaik discovered that Django incorrectly handled
uploading multiple files using one form field. A remote attacker could
possibly use this issue to bypass certain validations.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
python-django: Potential bypass of validation when uploading multiple files using one form field
vendor_redhat·2023-05-03·CVSS 9.8
CVE-2023-31047 [CRITICAL] CWE-20 python-django: Potential bypass of validation when uploading multiple files using one form field
python-django: Potential bypass of validation when uploading multiple files using one form field
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
A bypass of validation flaw was found in python-django. When uploading multiple files using one form field, an attacker could upload multiple files without validation due to the server only validating the last file uploaded.
Statement: Red Hat Satellite and Red Hat Update Infrastructure individual impact ratings have been set to L
Ubuntu
Django vulnerability
vendor_ubuntu·2023-05-03
CVE-2023-31047 Django vulnerability
Title: Django vulnerability
Summary: A Django hardening measure could be bypassed.
Moataz Al-Sharida and nawaik discovered that Django incorrectly handled
uploading multiple files using one form field. A remote attacker could
possibly use this issue to bypass certain validations.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2023-31047: python-django - In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was poss...
vendor_debian·2023·CVSS 9.8
CVE-2023-31047 [CRITICAL] CVE-2023-31047: python-django - In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was poss...
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
Scope: local
bookworm: resolved (fixed in 3:3.2.19-1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u2)
forky: resolved (fixed in 3:3.2.19-1)
sid: resolved (fixed in 3:3.2.19-1)
trixie: resolved (fixed in 3:3.2.19-1)
GHSA
Django bypasses validation when using one form field to upload multiple files
ghsa·2023-05-07
CVE-2023-31047 [CRITICAL] CWE-20 Django bypasses validation when using one form field to upload multiple files
Django bypasses validation when using one form field to upload multiple files
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
OSV
Django bypasses validation when using one form field to upload multiple files
osv·2023-05-07
CVE-2023-31047 [CRITICAL] Django bypasses validation when using one form field to upload multiple files
Django bypasses validation when using one form field to upload multiple files
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
OSV
CVE-2023-31047: In Django 3
osv·2023-05-07·CVSS 9.8
CVE-2023-31047 [CRITICAL] CVE-2023-31047: In Django 3
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://docs.djangoproject.com/en/4.2/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/https://security.netapp.com/advisory/ntap-20230609-0008/https://www.djangoproject.com/weblog/2023/may/03/security-releases/https://docs.djangoproject.com/en/4.2/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/https://security.netapp.com/advisory/ntap-20230609-0008/https://www.djangoproject.com/weblog/2023/may/03/security-releases/
2023-05-07
Published