CVE-2023-31047 — Improper Input Validation in Django

CWE-20 — Improper Input Validation CWE-862 — Missing Authorization9 documents7 sources

Severity

9.8CRITICALNVD

EPSS

0.1%

top 68.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django Fedoraproject Fedora

Timeline

PublishedMay 7

Latest updateMay 25

Description

In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDdjangoproject/django3.2 — 3.2.19+2

▶PyPIdjangoproject/django3.2a1 — 3.2.19+2

Also affects: Fedora 38

🔴Vulnerability Details

GHSA

Django bypasses validation when using one form field to upload multiple files↗2023-05-07

▶

CVEList

CVE-2023-31047: In Django 3↗2023-05-07

▶

OSV

Django bypasses validation when using one form field to upload multiple files↗2023-05-07

▶

OSV

CVE-2023-31047: In Django 3↗2023-05-07

▶

📋Vendor Advisories

Ubuntu

Django vulnerability↗2023-05-25

▶

Red Hat

python-django: Potential bypass of validation when uploading multiple files using one form field↗2023-05-03

▶

Ubuntu

Django vulnerability↗2023-05-03

▶

Debian

CVE-2023-31047: python-django - In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was poss...↗2023

▶