CVE-2022-23833

HIGH

Django 2.2-2.2.26, 3.2-3.2.11, 4.0-4.0.1 - Denial of Service via MultiPartParser Infinite Loop

Title source: llm

Description

An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

References (9)

Core 9

Core References

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/

Third Party Advisory vendor-advisory

https://www.debian.org/security/2022/dsa-5254

Mailing List

https://groups.google.com/forum/#%21forum/django-announce

Patch, Third Party Advisory

https://docs.djangoproject.com/en/4.0/releases/security/

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220221-0003/

Patch, Third Party Advisory

https://www.djangoproject.com/weblog/2022/feb/01/security-releases/

Patch

https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a

View Patch ZIP pw:eip

Patch

https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468

View Patch ZIP pw:eip

Patch

https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.4925

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-835

Status published

Products (5)

debian/debian_linux 11.0

djangoproject/django 2.2 - 2.2.27

fedoraproject/fedora 34

fedoraproject/fedora 35

pypi/Django 2.2 - 2.2.27PyPI

Published Feb 03, 2022

Tracked Since Feb 18, 2026