CVE-2023-31047

Aliases:GHSA-r3xc-prgr-mg9pBIT-django-2023-31047PYSEC-2023-61
Advisory lineage Upstream: 0 Downstream: 13
Modified
Published: 07 May 2023, 00:00
Last modified:29 Jan 2025, 15:51

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.8 CRITICAL
v3.1 (cve.org)
EPSS Score
0.16% LOW
0% probability +0.10%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

07 May 2023, 00:00
Published
Vulnerability first disclosed
29 Jan 2025, 15:51
Last Modified
Vulnerability information updated

Description

In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.

CVSS Metrics

  • v4.0CRITICALScore: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • v3.1CRITICALScore: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.16% Percentile: 37%

Techniques & Countermeasures

  • CWE-20Improper Input Validation

    The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

  • CWE-862Missing Authorization

    The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Affected Systems

  • djangoprojectdjango

    ≥ 3.2, < 3.2.19 | ≥ 4.0, < 4.1.9 | 4.2 | 4.2:b1 | 4.2:rc1

  • fedoraprojectfedora

    38

  • PyPIdjango

    ≥ 3.2a1, < 3.2.19 | ≥ 4.0a1, < 4.1.9 | ≥ 4.2a1, < 4.2.1 | ≥ 4.2, < 4.2.1

References (19)