High severityNVD Advisory· Published Feb 15, 2023· Updated Mar 18, 2025
CVE-2023-24580
CVE-2023-24580
Description
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 3.2a1, < 3.2.18 | 3.2.18 |
DjangoPyPI | >= 4.1a1, < 4.1.7 | 4.1.7 |
DjangoPyPI | >= 4.0a1, < 4.0.10 | 4.0.10 |
Affected products
18- osv-coords17 versionspkg:bitnami/djangopkg:pypi/djangopkg:rpm/opensuse/python-Django1&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/python-Django4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django6&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/python-Django&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/python-Django&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Django1&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Django1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-Django1&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/python-Django&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2012%20SP1pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2015%20SP5
>= 3.2.0, < 3.2.18+ 16 more
- (no CPE)range: >= 3.2.0, < 3.2.18
- (no CPE)range: >= 3.2a1, < 3.2.18
- (no CPE)range: < 1.11.29-bp154.2.3.1
- (no CPE)range: < 4.2.14-1.1
- (no CPE)range: < 6.0-1.1
- (no CPE)range: < 2.2.28-bp154.2.9.1
- (no CPE)range: < 2.2.28-bp155.7.3.1
- (no CPE)range: < 4.1.7-1.1
- (no CPE)range: < 1.11.29-3.44.1
- (no CPE)range: < 1.11.29-3.44.1
- (no CPE)range: < 1.11.29-bp154.2.3.1
- (no CPE)range: < 1.11.29-3.45.1
- (no CPE)range: < 1.11.29-3.45.1
- (no CPE)range: < 1.11.29-3.45.1
- (no CPE)range: < 1.11.15-2.1
- (no CPE)range: < 2.2.28-bp154.2.9.1
- (no CPE)range: < 2.2.28-bp155.7.3.1
Patches
Vulnerability mechanics
References
31- github.com/advisories/GHSA-2hrw-hx67-34x6ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2023-24580ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/02/14/1ghsaWEB
- docs.djangoproject.com/en/4.1/releases/securityghsaWEB
- github.com/django/django/commit/628b33a854a9c68ec8a0c51f382f304a0044ec92ghsaWEB
- github.com/django/django/commit/83f1ea83e4553e211c1c5a0dfc197b66d4e50432ghsaWEB
- github.com/django/django/commit/a665ed5179f5bbd3db95ce67286d0192eff041d8ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-13.yamlghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/ghsaWEB
- lists.debian.org/debian-lts-announce/2023/02/msg00023.htmlghsamailing-listWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7BghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IKghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQIghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7BghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IKghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQIghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSPghsaWEB
- security.netapp.com/advisory/ntap-20230316-0006ghsaWEB
- www.djangoproject.com/weblog/2023/feb/14/security-releasesghsaWEB
- docs.djangoproject.com/en/4.1/releases/security/mitre
- security.netapp.com/advisory/ntap-20230316-0006/mitre
- www.djangoproject.com/weblog/2023/feb/14/security-releases/mitre
News mentions
0No linked articles in our index yet.