CVE-2023-31047
CRITICAL9.8EPSS 0.13%python-django - security update
發布日:2023/5/7修改日:2026/4/28
描述
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
受影響套件(5)
- Bitnami/django>= 3.2.0, < 3.2.19, >= 4.0.0, < 4.1.9 | >= 4.2.0, <= 4.2.0
- Debian/python-djangofrom 0, < 2:2.2.28-1~deb11u2
- Debian/python-djangofrom 0, < 1:1.11.29-1+deb10u8
- PyPI/django>= 3.2a1, < 3.2.19
- PyPI/django>= 3.2, < 3.2.19, >= 4.0, < 4.1.9, >= 4.2, < 4.2.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(20)
- ADVISORYhttps://docs.djangoproject.com/en/4.2/releases/security/
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-31047
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-31047
- ADVISORYhttps://www.djangoproject.com/weblog/2023/may/03/security-releases/
- PATCHhttps://github.com/django/django
- WEBhttps://docs.djangoproject.com/en/4.2/releases/security
- WEBhttps://github.com/django/django/commit/21b1b1fc03e5f9e9f8c977ee6e35618dd3b353dd
- WEBhttps://github.com/django/django/commit/e7c3a2ccc3a562328600be05068ed9149e12ce64
- WEBhttps://github.com/django/django/commit/eed53d0011622e70b936e203005f0e6f4ac48965
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-61.yaml
- WEBhttps://groups.google.com/forum/#%21forum/django-announce
- WEBhttps://groups.google.com/forum/#!forum/django-announce
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD
- WEBhttps://security.netapp.com/advisory/ntap-20230609-0008
- WEBhttps://security.netapp.com/advisory/ntap-20230609-0008/
- WEBhttps://www.djangoproject.com/weblog/2023/may/03/security-releases