CVE-2022-23833

Advisory

[This advisory has been limited. Please create a free account to view the full advisory.]

Affected package

Affected versions

[This affected versions has been limited. Please create a free account to view the full affected versions.]

Fixed versions

[This fixed versions has been limited. Please create a free account to view the full fixed versions.]

Vulnerability changelog

===========================

*February 1, 2022*

Django 3.2.12 fixes two security issues with severity "medium" in 3.2.11.

CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
=============================================================

The ``{% debug %}`` template tag didn't properly encode the current context,
posing an XSS attack vector.

In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
information when the ``DEBUG`` setting is ``False``, and it ensures all context
variables are correctly escaped when the ``DEBUG`` setting is ``True``.

CVE-2022-23833: Denial-of-service possibility in file uploads
=============================================================

Passing certain inputs to multipart forms could result in an infinite loop when
parsing files.


===========================

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23833
• https://docs.djangoproject.com/en/4.0/releases/security/
• https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
• https://security.netapp.com/advisory/ntap-20220221-0003/
• https://www.debian.org/security/2022/dsa-5254
• https://groups.google.com/forum/#%21forum/django-announce
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
• https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a
• https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468
• https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9