CVE-2023-46695Allocation of Resources Without Limits or Throttling in Django

CWE-770Allocation of Resources Without Limits or ThrottlingCWE-400Uncontrolled Resource ConsumptionCWE-20Improper Input Validation8 documents7 sources
Severity
7.5HIGHNVD
EPSS
3.6%
top 12.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Djangoproject Django
Timeline
PublishedNov 2
Latest updateNov 29

Description

An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDdjangoproject/django3.23.2.23+2
PyPIdjangoproject/django3.2a13.2.23+5

Patches

Patch: docs.djangoproject.comPatch: www.djangoproject.comPatch: docs.djangoproject.com

🔴Vulnerability Details

4
CVEList
CVE-2023-46695: An issue was discovered in Django 32023-11-02
GHSA
Django potential denial of service vulnerability in UsernameField on Windows2023-11-02
OSV
CVE-2023-46695: An issue was discovered in Django 32023-11-02
OSV
Django potential denial of service vulnerability in UsernameField on Windows2023-11-02

📋Vendor Advisories

2
Red Hat
python-django: Potential denial of service vulnerability in UsernameField on Windows2023-11-01
Debian
CVE-2023-46695: python-django - An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 ...2023

💬Community

1
HackerOne
CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows2023-11-29
CVE-2023-46695 — Djangoproject Django vulnerability | cvebase