CVE-2023-46695
published 2023-11-02CVE-2023-46695: An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence…
PriorityP352high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
49.77%
98.8th percentile
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | — | — |
| djangoproject | django | >= 3.2 < 3.2.23 | 3.2.23 |
| djangoproject | django | >= 3.2 < 3.2.23 | 3.2.23 |
| djangoproject | django | >= 3.2a1 < 3.2.23 | 3.2.23 |
| djangoproject | django | >= 4.1 < 4.1.13 | 4.1.13 |
| djangoproject | django | >= 4.1 < 4.1.13 | 4.1.13 |
| djangoproject | django | >= 4.1a1 < 4.1.13 | 4.1.13 |
| djangoproject | django | >= 4.2 < 4.2.7 | 4.2.7 |
| djangoproject | django | >= 4.2. < 4.2.7 | 4.2.7 |
| djangoproject | django | >= 4.2a1 < 4.2.7 | 4.2.7 |
| frigate | frigate | >= 0 < 0.13.2 | 0.13.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_debian7.5LOW
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service
osv·2024-05-09
CVE-2024-32874 [CRITICAL] Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service
Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service
**Important: Exploiting this vulnerability requires the attacker to have access to your Frigate instance, which means they could also just delete all of your recordings or perform any other action. If you have configured authentication in front of Frigate via a reverse proxy, then this vulnerability is not exploitable without first getting around your authentication method. For many obvious reasons in addition to this one, please don't expose your Frigate instance publicly without any kind of authentication.**
## Summary
When uploading a file or retrieving the filename, a user may intentionally use a large Unicode filename which would lead to a application-level denial of service. This is due to no
GHSA
Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service
ghsa·2024-05-09
CVE-2024-32874 [CRITICAL] CWE-770 Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service
Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service
**Important: Exploiting this vulnerability requires the attacker to have access to your Frigate instance, which means they could also just delete all of your recordings or perform any other action. If you have configured authentication in front of Frigate via a reverse proxy, then this vulnerability is not exploitable without first getting around your authentication method. For many obvious reasons in addition to this one, please don't expose your Frigate instance publicly without any kind of authentication.**
## Summary
When uploading a file or retrieving the filename, a user may intentionally use a large Unicode filename which would lead to a application-level denial of service. This is due to no
GHSA
Django potential denial of service vulnerability in UsernameField on Windows
ghsa·2023-11-02
CVE-2023-46695 [HIGH] CWE-400 Django potential denial of service vulnerability in UsernameField on Windows
Django potential denial of service vulnerability in UsernameField on Windows
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
OSV
CVE-2023-46695: An issue was discovered in Django 3
osv·2023-11-02
CVE-2023-46695 CVE-2023-46695: An issue was discovered in Django 3
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
OSV
Django potential denial of service vulnerability in UsernameField on Windows
osv·2023-11-02
CVE-2023-46695 [HIGH] Django potential denial of service vulnerability in UsernameField on Windows
Django potential denial of service vulnerability in UsernameField on Windows
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Red Hat
python-django: Potential denial of service vulnerability in UsernameField on Windows
vendor_redhat·2023-11-01·CVSS 7.5
CVE-2023-46695 [HIGH] CWE-20 python-django: Potential denial of service vulnerability in UsernameField on Windows
python-django: Potential denial of service vulnerability in UsernameField on Windows
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
A vulnerability was discovered in the Django package, where NFKC normalization could take a significant time. This flaw allows a remote, unauthenticated attacker to cause a denial of service by submitting inputs with a large number of Unicode characters.
Statement: Only Windows environments are impacted by this vulnerability.
Package: python-django (Red Hat Ansible Automation Platform 2) -
Debian
CVE-2023-46695: python-django - An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 ...
vendor_debian·2023·CVSS 7.5
CVE-2023-46695 [HIGH] CVE-2023-46695: python-django - An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 ...
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows
hackerone·2023-11-29·CVSS 7.5
CVE-2023-46695 [HIGH] CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows
CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows
In Django versions before 4.2.7, 4.1.13, and 3.2.23, I sent a POST request to the admin login page using Burp Suite, editing the request to send over 1 million invalid unicode characters to my local web server running Django. (I used: "¾")
After submitting, a single request took 4.4 seconds on average.
When I sent 20 concurrent requests, then I got 60 second wait times, and 504 gateway timeout errors on my machine.
{F2871465}
Normal ascii characters don't do this and the page loads instantly.
## Impact
Denial of Service anywhere a form contains a UsernameField that checks for errors.
CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows
The NFKC normalization is slow on
Bugzilla
CVE-2023-46695 python-django: Potential denial of service vulnerability in UsernameField on Windows
bugzilla·2023-10-30·CVSS 7.5
CVE-2023-46695 [HIGH] CVE-2023-46695 python-django: Potential denial of service vulnerability in UsernameField on Windows
CVE-2023-46695 python-django: Potential denial of service vulnerability in UsernameField on Windows
The NFKC normalization is slow on Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was subject to a potential denial of service attack via certain inputs with a very large number of Unicode characters.
In order to avoid the vulnerability, invalid values longer than ``UsernameField.max_length`` are no longer normalized, since they cannot pass validation anyway.
Discussion:
Created python-django tracking bugs for this issue:
Affects: openstack-rdo [bug 2249282]
---
Created python-django tracking bugs for this issue:
Affects: epel-all [bug 2249286]
Affects: fedora-all [bug 2249288]
Created python-django16 tracking bugs for this issue:
Affects: epel-all [bug 2249
https://docs.djangoproject.com/en/4.2/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://security.netapp.com/advisory/ntap-20231214-0001/https://www.djangoproject.com/weblog/2023/nov/01/security-releases/https://docs.djangoproject.com/en/4.2/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://security.netapp.com/advisory/ntap-20231214-0001/https://www.djangoproject.com/weblog/2023/nov/01/security-releases/
2023-11-02
Published