CVE-2023-41164 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2023-41164

CVE-2023-41164

November 03, 2023

In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.

Affected Packages

Django (PYTHON):

Affected version(s)

Fix Suggestion:

Update to version 3.2.21

Django (PYTHON):

Affected version(s)

Fix Suggestion:

Update to version 3.2.21

Django (PYTHON):

Affected version(s) >=4.2 <4.2.5

Fix Suggestion:

Update to version 4.2.5

Django (PYTHON):

Affected version(s)

Fix Suggestion:

Update to version 3.2.21

Django (PYTHON):

Affected version(s) >=4.1 <4.1.11

Fix Suggestion:

Update to version 4.1.11

Django (PYTHON):

Affected version(s) >=4.2 <4.2.5

Fix Suggestion:

Update to version 4.2.5

Django (PYTHON):

Affected version(s) >=4.1 <4.1.11

Fix Suggestion:

Update to version 4.1.11

Django (PYTHON):

Affected version(s)

Fix Suggestion:

Update to version 3.2.21

Django (PYTHON):

Affected version(s) >=4.2 <4.2.5

Fix Suggestion:

Update to version 4.2.5

Django (PYTHON):

Affected version(s) >=4.2 <4.2.5

Fix Suggestion:

Update to version 4.2.5

Django (PYTHON):

Affected version(s) >=4.1 <4.1.11

Fix Suggestion:

Update to version 4.1.11

Related Resources (22)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU

https://www.djangoproject.com/weblog/2023/sep/04/security-releases/

https://groups.google.com/forum/#!forum/django-announce

https://www.djangoproject.com/weblog/2023/sep/04/security-releases

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/

https://groups.google.com/forum/#%21forum/django-announce

https://github.com/django/django

https://security.netapp.com/advisory/ntap-20231214-0002/

https://github.com/django/django/commit/9c51b4dcfa0cefcb48231f4d71cafa80821f87b9

https://github.com/django/django/commit/6f030b1149bd8fa4ba90452e77cb3edc095ce54e

https://docs.djangoproject.com/en/4.2/releases/security

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D

https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-225.yaml

https://security.netapp.com/advisory/ntap-20231214-0002

https://nvd.nist.gov/vuln/detail/CVE-2023-41164

https://security-tracker.debian.org/tracker/CVE-2023-41164

https://github.com/django/django/commit/ba00bc5ec6a7eff5e08be438f7b5b0e9574e8ff0

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/

https://docs.djangoproject.com/en/4.2/releases/security/

Do you need more information?

CVSS v4

Base Score:

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

NONE

Vulnerable System Integrity

NONE

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Weakness Type (CWE)

Improper Validation of Specified Quantity in Input

CWE-1284

Uncontrolled Resource Consumption

CWE-400

EPSS

Base Score:

0.32

Products

Solutions

Resources

Company

Compare

Developer Tools