Denial-of-Service Vulnerability in Django Web Framework
CVE-2023-23969

7.5HIGH

Key Information:

Vendor: Djangoproject
Status: Django
Vendor: CVE Published:; 1 February 2023

What is CVE-2023-23969?

Certain versions of the Django web framework, specifically 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, exhibit a vulnerability due to the caching of parsed Accept-Language headers. This caching mechanism is intended to enhance performance by avoiding repetitive parsing. However, when excessively large raw values are provided within the Accept-Language headers, it can lead to significant memory consumption. Such a scenario poses a risk of Denial-of-Service, as it might exhaust server resources, potentially impacting application availability.

References

https://groups.google.com/forum/#%21forum/django-announce

https://docs.djangoproject.com/en/4.1/releases/security/

https://www.djangoproject.com/weblog/2023/feb/01/security...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 1, 2023
Vulnerability Reserved
Jan 20, 2023

Djangoproject

What is CVE-2023-23969?

References

CVSS V3.1

Timeline