Vulnerability CVE-2023-31047: Information

Description

In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-31047
Published: May 7, 2023
Modified: Nov. 7, 2023
Error type identifier: CWE-20

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
python3-module-djangosisyphus3.2.19-alt14.2.11-alt1ALT-PU-2023-1898-1321960Fixed
python3-module-djangosisyphus_e2k3.2.19-alt14.2.11-alt1ALT-PU-2023-3708-1-Fixed
python3-module-djangosisyphus_riscv643.2.19-alt14.2.11-alt1ALT-PU-2023-3720-1-Fixed
python3-module-djangop103.2.19-alt13.2.23-alt1ALT-PU-2023-1911-1322022Fixed
python3-module-djangop10_e2k3.2.19-alt13.2.23-alt1ALT-PU-2023-3804-1-Fixed
python3-module-djangoc10f13.2.19-alt13.2.25-alt1ALT-PU-2023-2071-1322196Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://www.djangoproject.com/weblog/2023/may/03/security-releases/
  • Vendor Advisory
https://docs.djangoproject.com/en/4.2/releases/security/
  • Vendor Advisory
https://security.netapp.com/advisory/ntap-20230609-0008/
    https://groups.google.com/forum/#%21forum/django-announce
      FEDORA-2023-0d20d09f2d
        FEDORA-2023-8f9d949dbc

            1. Configuration 1

              cpe:2.3:a:djangoproject:django:4.2:rc1:*:*:*:*:*:*
              cpe:2.3:a:djangoproject:django:4.2:b1:*:*:*:*:*:*
              cpe:2.3:a:djangoproject:django:4.2:-:*:*:*:*:*:*
              cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
              Start including
              4.0
              End excliding
              4.1.9
              cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
              Start including
              3.2
              End excliding
              3.2.19

              Configuration 2

              cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
          VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
          Version: v24.4.2
          Back to top