CVE-2023-24580
HIGH7.5EPSS 19.7%Resource exhaustion in Django
發布日:2023/2/15修改日:2025/3/19
描述
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.
受影響套件(5)
- Bitnami/django>= 3.2.0, < 3.2.18, >= 4.0.0, < 4.0.10, >= 4.1.0, < 4.1.7
- Debian/python-djangofrom 0, < 2:2.2.28-1~deb11u2
- Debian/python-djangofrom 0, < 1:1.11.29-1+deb10u7
- PyPI/django>= 3.2a1, < 3.2.18
- PyPI/django>= 3.2, < 3.2.18, >= 4.0, < 4.0.10, >= 4.1, < 4.1.7
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
參考連結(32)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-24580
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-24580
- ADVISORYhttps://www.djangoproject.com/weblog/2023/feb/14/security-releases/
- PATCHhttps://github.com/django/django
- WEBhttps://docs.djangoproject.com/en/4.1/releases/security
- WEBhttps://docs.djangoproject.com/en/4.1/releases/security/
- WEBhttps://github.com/django/django/commit/628b33a854a9c68ec8a0c51f382f304a0044ec92
- WEBhttps://github.com/django/django/commit/83f1ea83e4553e211c1c5a0dfc197b66d4e50432
- WEBhttps://github.com/django/django/commit/a665ed5179f5bbd3db95ce67286d0192eff041d8
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-13.yaml
- WEBhttps://groups.google.com/forum/#%21forum/django-announce
- WEBhttps://groups.google.com/forum/#!forum/django-announce
- WEBhttps://lists.debian.org/debian-lts-announce/2023/02/msg00023.html
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP
- WEBhttps://security.netapp.com/advisory/ntap-20230316-0006
- WEBhttps://security.netapp.com/advisory/ntap-20230316-0006/
- WEBhttps://www.djangoproject.com/weblog/2023/feb/14/security-releases
- WEBhttp://www.openwall.com/lists/oss-security/2023/02/14/1