Denial-of-Service Vulnerability in Django Multipart Request Parser
CVE-2023-24580

7.5HIGH

Key Information:

Vendor: Djangoproject
Status: Django
Vendor: CVE Published:; 15 February 2023

What is CVE-2023-24580?

A vulnerability exists in the Multipart Request Parser of the Django Framework that allows an attacker to pass specially crafted multipart form inputs containing an excessive number of parts. This can lead to resource depletion issues, such as exhausting the number of open files or memory, ultimately providing a vector for denial-of-service attacks. The affected versions include Django 3.2 prior to 3.2.18, 4.0 prior to 4.0.10, and 4.1 prior to 4.1.7. Ensuring updates to these versions is critical to mitigate this risk.

References

https://groups.google.com/forum/#%21forum/django-announce

https://docs.djangoproject.com/en/4.1/releases/security/

http://www.openwall.com/lists/oss-security/2023/02/14/1

EPSS Score

21% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 15, 2023
Vulnerability Reserved
Jan 27, 2023

Djangoproject

What is CVE-2023-24580?

References

EPSS Score

CVSS V3.1

Timeline