{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-23833", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T03:51:46.008Z", "dateReserved": "2022-01-21T00:00:00", "datePublished": "2022-02-03T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-11-22T23:04:35.819653"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"url": "https://docs.djangoproject.com/en/4.0/releases/security/"}, {"url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"}, {"name": "FEDORA-2022-e7fd530688", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"}, {"url": "https://security.netapp.com/advisory/ntap-20220221-0003/"}, {"name": "DSA-5254", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5254"}, {"url": "https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a"}, {"url": "https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468"}, {"url": "https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:51:46.008Z"}, "title": "CVE Program Container", "references": [{"url": "https://groups.google.com/forum/#%21forum/django-announce", "tags": ["x_transferred"]}, {"url": "https://docs.djangoproject.com/en/4.0/releases/security/", "tags": ["x_transferred"]}, {"url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/", "tags": ["x_transferred"]}, {"name": "FEDORA-2022-e7fd530688", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"}, {"url": "https://security.netapp.com/advisory/ntap-20220221-0003/", "tags": ["x_transferred"]}, {"name": "DSA-5254", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5254"}, {"url": "https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a", "tags": ["x_transferred"]}, {"url": "https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468", "tags": ["x_transferred"]}, {"url": "https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7324BB5-64C7-45F6-ADEB-E0929B4B00B6", "versionEndExcluding": "2.2.27", "versionStartIncluding": "2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "D15BB946-FCF5-43FC-99EF-EBB2513CA2FB", "versionEndExcluding": "3.2.12", "versionStartIncluding": "3.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA09D497-21DD-410D-9692-A601B1EAA0B9", "versionEndExcluding": "4.0.2", "versionStartIncluding": "4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files."}, {"lang": "es", "value": "Se ha detectado un problema en MultiPartParser en Django versiones 2.2 anteriores a 2.2.27, 3.2 anteriores a 3.2.12 y 4.0 anteriores a 4.0.2. Pasar determinadas entradas a formularios multiparte pod\u00eda resultar en un bucle infinito cuando eran analizados los archivos"}], "id": "CVE-2022-23833", "lastModified": "2023-11-22T23:15:08.060", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-03T02:15:07.623", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://docs.djangoproject.com/en/4.0/releases/security/"}, {"source": "cve@mitre.org", "url": "https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a"}, {"source": "cve@mitre.org", "url": "https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468"}, {"source": "cve@mitre.org", "url": "https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220221-0003/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5254"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:8872", "cpe": "cpe:/a:redhat:openstack:16.1::el8", "package": "python-django20-0:2.0.13-18.el8ost", "product_name": "Red Hat OpenStack Platform 16.1", "release_date": "2022-12-07T00:00:00Z"}, {"advisory": "RHSA-2022:8853", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "python-django20-0:2.0.13-18.el8ost", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2022-12-07T00:00:00Z"}, {"advisory": "RHSA-2022:5498", "cpe": "cpe:/a:redhat:satellite:6.11::el8", "package": "python-django-0:3.2.13-1.el8pc", "product_name": "Red Hat Satellite 6.11 for RHEL 8", "release_date": "2022-07-05T00:00:00Z"}, {"advisory": "RHSA-2022:5498", "cpe": "cpe:/a:redhat:satellite_capsule:6.11::el8", "package": "python-django-0:3.2.13-1.el8pc", "product_name": "Red Hat Satellite 6.11 for RHEL 8", "release_date": "2022-07-05T00:00:00Z"}], "bugzilla": {"description": "django: Denial-of-service possibility in file uploads", "id": "2048778", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2048778"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-835", "details": ["An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.", "A flaw was found in Django. The issue occurs when passing certain inputs to multipart forms, resulting in an infinite loop when parsing files."], "name": "CVE-2022-23833", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Affected", "package_name": "django", "product_name": "Red Hat Ansible Tower 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "calamari-server", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "python3-django", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:rhui:3", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat Update Infrastructure 3 for Cloud Providers"}, {"cpe": "cpe:/a:redhat:rhui:4::el8", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Update Infrastructure 4 for Cloud Providers"}], "public_date": "2022-02-01T08:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-23833\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-23833\nhttps://www.djangoproject.com/weblog/2022/feb/01/security-releases/"], "threat_severity": "Moderate", "upstream_fix": "django 4.0.2, django 3.2.12, django 2.2.27"}