CVE-2022-23833

描述

An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

受影響套件(4)

• Bitnami/django>= 2.2.0, < 2.2.27, >= 3.2.0, < 3.2.12, >= 4.0.0, < 4.0.2
• Debian/python-djangofrom 0, < 2:2.2.28-1~deb11u1
• PyPI/django>= 2.2, < 2.2.27
• PyPI/django>= 2.2, < 2.2.27, >= 3.2, < 3.2.12, >= 4.0, < 4.0.2

CVSS 分數

參考連結(19)

• ADVISORYhttps://github.com/advisories/GHSA-6cw3-g6wv-c2xv
• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-23833
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-23833
• ADVISORYhttps://www.djangoproject.com/weblog/2022/feb/01/security-releases/
• PATCHhttps://github.com/django/django
• WEBhttps://docs.djangoproject.com/en/4.0/releases/security
• WEBhttps://docs.djangoproject.com/en/4.0/releases/security/
• WEBhttps://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a
• WEBhttps://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468
• WEBhttps://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9
• WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-20.yaml
• WEBhttps://groups.google.com/forum/#%21forum/django-announce
• WEBhttps://groups.google.com/forum/#!forum/django-announce
• WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
• WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
• WEBhttps://security.netapp.com/advisory/ntap-20220221-0003
• WEBhttps://security.netapp.com/advisory/ntap-20220221-0003/
• WEBhttps://www.debian.org/security/2022/dsa-5254
• WEBhttps://www.djangoproject.com/weblog/2022/feb/01/security-releases