CVE-2012-3443

Django < 1.3.2 and 1.4.x < 1.4.1 - Denial of Service via ImageField Decompression

Title source: llm
STIX 2.1

Description

The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.

References (6)

Core 6
Core References
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/07/31/1
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2012:143
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1560-1
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/07/31/2
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2012/dsa-2529

Scores

EPSS 0.0264
EPSS Percentile 83.8%

Details

CWE
CWE-20
Status published
Products (20)
djangoproject/django 0.95
djangoproject/django 0.96
djangoproject/django 1.0 (5 CPE variants)
djangoproject/django 1.0.1
djangoproject/django 1.0.2
djangoproject/django 1.1 (4 CPE variants)
djangoproject/django 1.1.2
djangoproject/django 1.1.3
djangoproject/django 1.1.4
djangoproject/django 1.2 (3 CPE variants)
... and 10 more
Published Jul 31, 2012
Tracked Since Feb 18, 2026