CVE-2022-23833

Description

An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

Affected packages (4)

• Bitnami/django>= 2.2.0, < 2.2.27, >= 3.2.0, < 3.2.12, >= 4.0.0, < 4.0.2
• Debian/python-djangofrom 0, < 2:2.2.28-1~deb11u1
• PyPI/django>= 2.2, < 2.2.27
• PyPI/django>= 2.2, < 2.2.27, >= 3.2, < 3.2.12, >= 4.0, < 4.0.2

CVSS scores

References (19)

• ADVISORYhttps://github.com/advisories/GHSA-6cw3-g6wv-c2xv
• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-23833
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-23833
• ADVISORYhttps://www.djangoproject.com/weblog/2022/feb/01/security-releases/
• PATCHhttps://github.com/django/django
• WEBhttps://docs.djangoproject.com/en/4.0/releases/security
• WEBhttps://docs.djangoproject.com/en/4.0/releases/security/
• WEBhttps://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a
• WEBhttps://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468
• WEBhttps://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9
• WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-20.yaml
• WEBhttps://groups.google.com/forum/#%21forum/django-announce
• WEBhttps://groups.google.com/forum/#!forum/django-announce
• WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
• WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
• WEBhttps://security.netapp.com/advisory/ntap-20220221-0003
• WEBhttps://security.netapp.com/advisory/ntap-20220221-0003/
• WEBhttps://www.debian.org/security/2022/dsa-5254
• WEBhttps://www.djangoproject.com/weblog/2022/feb/01/security-releases