VDB
BIT-django-2023-31047
BIT-django-2023-31047
PUBLISHED
CVSS 9.800000190734863 CRITICAL
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
Risk Scores
CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | django | 3.2.0, 4.0.0, 4.2.0 |
Timeline
- Mar 6, 2024 CVE Published
- Apr 3, 2025 CVE Updated
References
- https://docs.djangoproject.com/en/4.2/releases/security/ url
- https://groups.google.com/forum/#%21forum/django-announce url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/ url
- https://security.netapp.com/advisory/ntap-20230609-0008/ url
- https://www.djangoproject.com/weblog/2023/may/03/security-releases/ url
- https://nvd.nist.gov/vuln/detail/CVE-2023-31047 url