CVE-2023-24580

moderate-risk

Published 2023-02-15

An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.

Do I need to act?

25.4% chance of exploitation in next 30 days

EPSS score — higher than 75% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (2)

Django

Debian Linux

Affected Vendors

Debian Djangoproject

References (22)

Mailing List http://www.openwall.com/lists/oss-security/2023/02/14/1

Patch https://docs.djangoproject.com/en/4.1/releases/security/

https://groups.google.com/forum/#%21forum/django-announce

Mailing List https://lists.debian.org/debian-lts-announce/2023/02/msg00023.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

https://security.netapp.com/advisory/ntap-20230316-0006/

Patch https://www.djangoproject.com/weblog/2023/feb/14/security-releases/

Mailing List http://www.openwall.com/lists/oss-security/2023/02/14/1

Patch https://docs.djangoproject.com/en/4.1/releases/security/

https://groups.google.com/forum/#%21forum/django-announce

Mailing List https://lists.debian.org/debian-lts-announce/2023/02/msg00023.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

and 2 more references

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 15/34 · Moderate

Exposure 7/34 · Low