CVE-2022-23833 (GCVE-0-2022-23833)
Vulnerability from cvelistv5
Published
2022-02-03 00:00
Modified
2024-08-03 03:51
Severity ?
CWE
  • n/a
Summary
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
References
cve@mitre.orghttps://docs.djangoproject.com/en/4.0/releases/security/Patch, Third Party Advisory
cve@mitre.orghttps://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a
cve@mitre.orghttps://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468
cve@mitre.orghttps://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9
cve@mitre.orghttps://groups.google.com/forum/#%21forum/django-announce
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
cve@mitre.orghttps://security.netapp.com/advisory/ntap-20220221-0003/Third Party Advisory
cve@mitre.orghttps://www.debian.org/security/2022/dsa-5254Third Party Advisory
cve@mitre.orghttps://www.djangoproject.com/weblog/2022/feb/01/security-releases/Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://docs.djangoproject.com/en/4.0/releases/security/Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a
af854a3a-2127-422b-91ae-364da2661108https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468
af854a3a-2127-422b-91ae-364da2661108https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9
af854a3a-2127-422b-91ae-364da2661108https://groups.google.com/forum/#%21forum/django-announce
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20220221-0003/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2022/dsa-5254Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.djangoproject.com/weblog/2022/feb/01/security-releases/Patch, Third Party Advisory
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:51:46.008Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"
          },
          {
            "name": "FEDORA-2022-e7fd530688",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220221-0003/"
          },
          {
            "name": "DSA-5254",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5254"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-22T23:04:35.819653",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"
        },
        {
          "name": "FEDORA-2022-e7fd530688",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220221-0003/"
        },
        {
          "name": "DSA-5254",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5254"
        },
        {
          "url": "https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a"
        },
        {
          "url": "https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468"
        },
        {
          "url": "https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-23833",
    "datePublished": "2022-02-03T00:00:00",
    "dateReserved": "2022-01-21T00:00:00",
    "dateUpdated": "2024-08-03T03:51:46.008Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-23833\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2022-02-03T02:15:07.623\",\"lastModified\":\"2024-11-21T06:49:20.623\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.\"},{\"lang\":\"es\",\"value\":\"Se ha detectado un problema en MultiPartParser en Django versiones 2.2 anteriores a 2.2.27, 3.2 anteriores a 3.2.12 y 4.0 anteriores a 4.0.2. Pasar determinadas entradas a formularios multiparte pod\u00eda resultar en un bucle infinito cuando eran analizados los archivos\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-835\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.2\",\"versionEndExcluding\":\"2.2.27\",\"matchCriteriaId\":\"F7324BB5-64C7-45F6-ADEB-E0929B4B00B6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.2\",\"versionEndExcluding\":\"3.2.12\",\"matchCriteriaId\":\"D15BB946-FCF5-43FC-99EF-EBB2513CA2FB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0\",\"versionEndExcluding\":\"4.0.2\",\"matchCriteriaId\":\"FA09D497-21DD-410D-9692-A601B1EAA0B9\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A930E247-0B43-43CB-98FF-6CE7B8189835\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}],\"references\":[{\"url\":\"https://docs.djangoproject.com/en/4.0/releases/security/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://groups.google.com/forum/#%21forum/django-announce\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20220221-0003/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2022/dsa-5254\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.djangoproject.com/weblog/2022/feb/01/security-releases/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://docs.djangoproject.com/en/4.0/releases/security/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://groups.google.com/forum/#%21forum/django-announce\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20220221-0003/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2022/dsa-5254\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.djangoproject.com/weblog/2022/feb/01/security-releases/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}