CVE-2023-31047

Advisory

[This advisory has been limited. Please create a free account to view the full advisory.]

Affected package

Affected versions

[This affected versions has been limited. Please create a free account to view the full affected versions.]

Fixed versions

[This fixed versions has been limited. Please create a free account to view the full fixed versions.]

Vulnerability changelog

===========================

*May 3, 2023*

Django 3.2.19 fixes a security issue with severity "low" in 3.2.18.

CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field
=================================================================================================

Uploading multiple files using one form field has never been supported by
:class:`.forms.FileField` or :class:`.forms.ImageField` as only the last
uploaded file was validated. Unfortunately, :ref:`uploading_multiple_files`
topic suggested otherwise.

In order to avoid the vulnerability, :class:`~django.forms.ClearableFileInput`
and :class:`~django.forms.FileInput` form widgets now raise ``ValueError`` when
the ``multiple`` HTML attribute is set on them. To prevent the exception and
keep the old behavior, set ``allow_multiple_selected`` to ``True``.

For more details on using the new attribute and handling of multiple files
through a single field, see :ref:`uploading_multiple_files`.


===========================

Resources

• https://pypi.org/project/django
• https://pyup.io/changelogs/django/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31047
• https://www.djangoproject.com/weblog/2023/may/03/security-releases/
• https://docs.djangoproject.com/en/4.2/releases/security/
• https://groups.google.com/forum/#!forum/django-announce
• https://lists.fedoraproject.org/archives/list/[email protected]/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/
• https://security.netapp.com/advisory/ntap-20230609-0008/