7.5

CVE-2022-23833

An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DjangoprojectDjango Version >= 2.2 < 2.2.27
DjangoprojectDjango Version >= 3.2 < 3.2.12
DjangoprojectDjango Version >= 4.0 < 4.0.2
FedoraprojectFedora Version34
FedoraprojectFedora Version35
DebianDebian Linux Version11.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 49.25% 0.987
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

https://groups.google.com/forum/#%21forum/django-announce
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
https://docs.djangoproject.com/en/4.0/releases/security/
Patch
Third Party Advisory
https://security.netapp.com/advisory/ntap-20220221-0003/
Third Party Advisory
https://www.debian.org/security/2022/dsa-5254
Third Party Advisory
https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
Patch
Third Party Advisory
https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a
https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468
https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9