CVE-2023-23969

EPSS 1.01%
Veröffentlicht 01.02.2023 19:15:08
Zuletzt bearbeitet 27.03.2025 15:15:45
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Djangoproject ≫ Django Version >= 3.2 < 3.2.17

Djangoproject ≫ Django Version >= 4.0 < 4.0.9

Djangoproject ≫ Django Version >= 4.1 < 4.1.6

Debian ≫ Debian Linux Version10.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.01%	0.763

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://groups.google.com/forum/#%21forum/django-announce

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/

https://docs.djangoproject.com/en/4.1/releases/security/

Patch

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2023/02/msg00000.html

Third Party Advisory

Mailing List

https://security.netapp.com/advisory/ntap-20230302-0007/

https://www.djangoproject.com/weblog/2023/feb/01/security-releases/

Vendor Advisory

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2023-23969

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-23969

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-23969

EUVD