CVE-2023-24580

Advisory

Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads.
https://www.djangoproject.com/weblog/2023/feb/14/security-releases

Affected package

Affected versions

Fixed versions

Vulnerability changelog

===========================

*February 14, 2023*

Django 3.2.18 fixes a security issue with severity "moderate" in 3.2.17.

CVE-2023-24580: Potential denial-of-service vulnerability in file uploads
=========================================================================

Passing certain inputs to multipart forms could result in too many open files
or memory exhaustion, and provided a potential vector for a denial-of-service
attack.

The number of files parts parsed is now limited via the new
:setting:`DATA_UPLOAD_MAX_NUMBER_FILES` setting.


===========================

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24580
• https://docs.djangoproject.com/en/4.1/releases/security/
• https://www.djangoproject.com/weblog/2023/feb/14/security-releases/
• http://www.openwall.com/lists/oss-security/2023/02/14/1
• https://groups.google.com/forum/#!forum/django-announce
• https://lists.debian.org/debian-lts-announce/2023/02/msg00023.html
• https://lists.fedoraproject.org/archives/list/[email protected]/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/
• https://security.netapp.com/advisory/ntap-20230316-0006/