{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-31047", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T14:45:25.559Z", "dateReserved": "2023-04-24T00:00:00", "datePublished": "2023-05-07T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-06-09T00:00:00"}, "descriptions": [{"lang": "en", "value": "In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's \"Uploading multiple files\" documentation suggested otherwise."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"url": "https://docs.djangoproject.com/en/4.2/releases/security/"}, {"url": "https://www.djangoproject.com/weblog/2023/may/03/security-releases/"}, {"name": "FEDORA-2023-0d20d09f2d", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/"}, {"name": "FEDORA-2023-8f9d949dbc", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/"}, {"url": "https://security.netapp.com/advisory/ntap-20230609-0008/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:45:25.559Z"}, "title": "CVE Program Container", "references": [{"url": "https://groups.google.com/forum/#%21forum/django-announce", "tags": ["x_transferred"]}, {"url": "https://docs.djangoproject.com/en/4.2/releases/security/", "tags": ["x_transferred"]}, {"url": "https://www.djangoproject.com/weblog/2023/may/03/security-releases/", "tags": ["x_transferred"]}, {"name": "FEDORA-2023-0d20d09f2d", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/"}, {"name": "FEDORA-2023-8f9d949dbc", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/"}, {"url": "https://security.netapp.com/advisory/ntap-20230609-0008/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "11799E5A-8045-48F2-BFBF-C377FD718F39", "versionEndExcluding": "3.2.19", "versionStartIncluding": "3.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "EEC3B71C-022D-443A-AF8B-F3C13268C669", "versionEndExcluding": "4.1.9", "versionStartIncluding": "4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:4.2:-:*:*:*:*:*:*", "matchCriteriaId": "6047ED22-7DD3-419E-B906-B120096CD8D9", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:4.2:b1:*:*:*:*:*:*", "matchCriteriaId": "47CC8B88-335C-4E6A-8AC9-DC6D5297607A", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:4.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "23FA889E-19AF-4AE9-AF47-00561632B438", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's \"Uploading multiple files\" documentation suggested otherwise."}], "id": "CVE-2023-31047", "lastModified": "2023-11-07T04:14:10.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-05-07T02:15:08.917", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://docs.djangoproject.com/en/4.2/releases/security/"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20230609-0008/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2023/may/03/security-releases/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:5931", "cpe": "cpe:/a:redhat:satellite:6.13::el8", "impact": "low", "package": "python-django-0:3.2.21-1.el8pc", "product_name": "Red Hat Satellite 6.13 for RHEL 8", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:5931", "cpe": "cpe:/a:redhat:satellite_capsule:6.13::el8", "impact": "low", "package": "python-django-0:3.2.21-1.el8pc", "product_name": "Red Hat Satellite 6.13 for RHEL 8", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:6818", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "impact": "low", "package": "python-django-0:3.2.21-1.el8pc", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2023-11-08T00:00:00Z"}, {"advisory": "RHSA-2023:6818", "cpe": "cpe:/a:redhat:satellite_capsule:6.14::el8", "impact": "low", "package": "python-django-0:3.2.21-1.el8pc", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2023-11-08T00:00:00Z"}, {"advisory": "RHSA-2023:4591", "cpe": "cpe:/a:redhat:rhui:4::el8", "impact": "low", "package": "python-django-0:3.2.19-1.0.1.el8ui", "product_name": "RHUI 4 for RHEL 8", "release_date": "2023-08-09T00:00:00Z"}], "bugzilla": {"description": "python-django: Potential bypass of validation when uploading multiple files using one form field", "id": "2192565", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2192565"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "status": "verified"}, "cwe": "CWE-20", "details": ["In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's \"Uploading multiple files\" documentation suggested otherwise.", "A bypass of validation flaw was found in python-django. When uploading multiple files using one form field, an attacker could upload multiple files without validation due to the server only validating the last file uploaded."], "name": "CVE-2023-31047", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python-django", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "python-django20", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "python-django20", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.0", "fix_state": "Not affected", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 17.0"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "python-django", "product_name": "Red Hat Storage 3"}], "public_date": "2023-05-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-31047\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-31047\nhttps://www.djangoproject.com/weblog/2023/may/03/security-releases/"], "statement": "Red Hat Satellite and Red Hat Update Infrastructure individual impact ratings have been set to Low since initial privileges are required in order to access the server and the vulnerable functionality.", "threat_severity": "Moderate", "upstream_fix": "python-django 3.2.19, python-django 4.1.9, python-django 4.2.1"}