CVE-2022-23833

CVE Database · CVE-2022-23833

CVE-2022-23833

· HIGHModified

CVSS v3.1

7.5

EPSS

49.25%

Published

Feb 2, 2022

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses (CWE)

CWE-835

Affected Products (6)

djangoproject · django (up to 2.2.27)vulnerable

djangoproject · django (up to 3.2.12)vulnerable

djangoproject · django (up to 4.0.2)vulnerable

fedoraproject · fedoravulnerable

debian · debian_linuxvulnerable

References (18)

https://docs.djangoproject.com/en/4.0/releases/security/

PatchThird Party Advisory

https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a

https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468

https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9

https://groups.google.com/forum/#%21forum/django-announce

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/

https://security.netapp.com/advisory/ntap-20220221-0003/

Third Party Advisory

https://www.debian.org/security/2022/dsa-5254

KEV Catalog EPSS Scores Vendors All CVEs