CVE-2023-24580

HIGH

Django 3.2-3.2.18 - Denial of Service via Multipart Request Parser

Title source: llm
STIX 2.1

Description

An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.

References (11)

Core 11
Core References
Mailing List, Release Notes, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/02/14/1
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/02/msg00023.html

Scores

CVSS v3 7.5
EPSS 0.2272
EPSS Percentile 95.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-400
Status published
Products (3)
debian/debian_linux 10.0
djangoproject/django 3.2 - 3.2.18
pypi/Django 3.2a1 - 3.2.18PyPI
Published Feb 15, 2023
Tracked Since Feb 18, 2026