CVE-2023-41164
published 2023-11-03CVE-2023-41164: In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service)…
PriorityP337high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.28%
66.5th percentile
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:3.2.25-0+deb12u1 (bookworm) | python-django 3:3.2.25-0+deb12u1 (bookworm) |
| djangoproject | django | >= 3.2 < 3.2.21 | 3.2.21 |
| djangoproject | django | >= 3.2 < 3.2.21 | 3.2.21 |
| djangoproject | django | >= 4.1 < 4.1.11 | 4.1.11 |
| djangoproject | django | >= 4.1 < 4.1.11 | 4.1.11 |
| djangoproject | django | >= 4.2 < 4.2.5 | 4.2.5 |
| djangoproject | django | >= 4.2 < 4.2.5 | 4.2.5 |
| fedoraproject | fedora | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Django Denial of service vulnerability in django.utils.encoding.uri_to_iri
ghsa·2023-11-03
CVE-2023-41164 [MEDIUM] CWE-1284 Django Denial of service vulnerability in django.utils.encoding.uri_to_iri
Django Denial of service vulnerability in django.utils.encoding.uri_to_iri
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
OSV
CVE-2023-41164: In Django 3
osv·2023-11-03·CVSS 7.5
CVE-2023-41164 [HIGH] CVE-2023-41164: In Django 3
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
OSV
Django Denial of service vulnerability in django.utils.encoding.uri_to_iri
osv·2023-11-03
CVE-2023-41164 [MEDIUM] Django Denial of service vulnerability in django.utils.encoding.uri_to_iri
Django Denial of service vulnerability in django.utils.encoding.uri_to_iri
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
OSV
python-django vulnerabilities
osv·2023-10-04·CVSS 7.5
CVE-2023-43665 [HIGH] python-django vulnerabilities
python-django vulnerabilities
USN-6414-1 and USN-6378-1 fixed CVE-2023-43665 and CVE-2023-41164 in Django,
respectively. This update provides the corresponding update for Ubuntu 18.04 LTS.
Original advisory details:
Wenchao Li discovered that the Django Truncator function incorrectly
handled very long HTML input. A remote attacker could possibly use this
issue to cause Django to consume resources, leading to a denial of service.
It was discovered that Django incorrectly handled certain URIs with a very
large number of Unicode characters. A remote attacker could possibly use
this issue to cause Django to consume resources or crash, leading to a
denial of service.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2023-10-04·CVSS 7.5
CVE-2023-43665 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
USN-6414-1 and USN-6378-1 fixed CVE-2023-43665 and CVE-2023-41164 in Django,
respectively. This update provides the corresponding update for Ubuntu 18.04 LTS.
Original advisory details:
Wenchao Li discovered that the Django Truncator function incorrectly
handled very long HTML input. A remote attacker could possibly use this
issue to cause Django to consume resources, leading to a denial of service.
It was discovered that Django incorrectly handled certain URIs with a very
large number of Unicode characters. A remote attacker could possibly use
this issue to cause Django to consume resources or crash, leading to a
denial of service.
Instructions: In general, a standard system update will make all the
Ubuntu
Django vulnerability
vendor_ubuntu·2023-09-18
CVE-2023-41164 Django vulnerability
Title: Django vulnerability
Summary: Django could be made to crash or consume resources if it received specially
crafted network traffic.
It was discovered that Django incorrectly handled certain URIs with a very
large number of Unicode characters. A remote attacker could possibly use
this issue to cause Django to consume resources or crash, leading to a
denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
python-django: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()``
vendor_redhat·2023-09-04·CVSS 7.5
CVE-2023-41164 [HIGH] CWE-400 python-django: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()``
python-django: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()``
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
An uncontrolled resource consumption vulnerability was found in Django. Feeding certain inputs with a very large number of Unicode characters to the URI to IRI encoder function can lead to a denial of service.
Package: python-django (Red Hat Certification for Red Hat Enterprise Linux 7) - Fix deferred
Package: python-django20 (Red Hat OpenStack Platform 16.1) - Out of support scope
Package: python-django20 (Red Hat OpenStack Platform 16.2) - Out of support scope
Debian
CVE-2023-41164: python-django - In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.uti...
vendor_debian·2023·CVSS 7.5
CVE-2023-41164 [HIGH] CVE-2023-41164: python-django - In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.uti...
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u7)
forky: resolved (fixed in 3:3.2.21-1)
sid: resolved (fixed in 3:3.2.21-1)
trixie: resolved (fixed in 3:3.2.21-1)
No detection rules found.
No public exploits indexed.
https://docs.djangoproject.com/en/4.2/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/https://security.netapp.com/advisory/ntap-20231214-0002/https://www.djangoproject.com/weblog/2023/sep/04/security-releases/https://docs.djangoproject.com/en/4.2/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/https://lists.fedoraproject.org/archives/list/[email protected]/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/https://security.netapp.com/advisory/ntap-20231214-0002/https://www.djangoproject.com/weblog/2023/sep/04/security-releases/
2023-11-03
Published