CVE-2022-23833

An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

Published: Feb 3, 2022
Updated: Nov 8, 2023
CVE: CVE-2022-23833
GHSA: GHSA-6cw3-g6wv-c2xv
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-835

Affected Software
References

Software	From	Fixed in
djangoproject / django	3.2	3.2.12
djangoproject / django	4.0	4.0.2
djangoproject / django	2.2	2.2.27
fedoraproject / fedora	34	34.x
fedoraproject / fedora	35	35.x
debian / debian_linux	11.0	11.0.x
Django	2.2.0	2.2.27
Django	3.2.0	3.2.12
Django	4.0.0	4.0.2

https://docs.djangoproject.com/en/4.0/releases/security/
https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a
https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468
https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9
https://groups.google.com/forum/#!forum/django-announce
https://groups.google.com/forum/#%21forum/django-announce
https://lists.fedoraproject.org/archives/list/[email protected]/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
https://security.netapp.com/advisory/ntap-20220221-0003/
https://www.debian.org/security/2022/dsa-5254
https://www.djangoproject.com/weblog/2022/feb/01/security-releases/

Vulnerability Database

289,697

CVE-2022-23833