VDB
CVE-2023-31047
CVE-2023-31047
PUBLISHED
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
EPSS 0.16% · 36.7th percentile
Risk Scores
EPSS Score
0.16%
36.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | django | 4.2.0, 3.2.0, 3.2.0 |
| Bitnami | django | 4.2.0, 3.2.0, 4.0.0 |
Exploit Intelligence
- CIRCL published-proof-of-concept: CVE-2023-31047 (circl-sighting)
- CIRCL seen: CVE-2023-31047 (circl-sighting)
- https://groups.google.com/forum/#%21forum/django-announce (circl)
- https://docs.djangoproject.com/en/4.2/releases/security/ (circl)
- https://www.djangoproject.com/weblog/2023/may/03/security-releases/ (circl)
- FEDORA-2023-0d20d09f2d (circl)
- FEDORA-2023-8f9d949dbc (circl)
- https://security.netapp.com/advisory/ntap-20230609-0008/ (circl)
- allowed-vulnerabilities.yml (github-poc)
- allowed-vulnerabilities.yml (github-poc)
…and 9 more exploits
Timeline
- May 3, 2023 CVE Published
- May 7, 2023 EPSS Score
- May 7, 2023 PoC Published
- Jun 13, 2023 EPSS Score
- Jun 23, 2023 PoC Published
- Aug 26, 2023 EPSS Score
- Oct 1, 2023 EPSS Score
- Nov 7, 2023 EPSS Score
- Jan 20, 2024 EPSS Score
- Feb 26, 2024 EPSS Score
- Apr 3, 2024 EPSS Score
- Jun 15, 2024 EPSS Score
References
- https://docs.djangoproject.com/en/4.2/releases/security/ url
- https://groups.google.com/forum/#%21forum/django-announce url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/ url
- https://security.netapp.com/advisory/ntap-20230609-0008/ url
- https://www.djangoproject.com/weblog/2023/may/03/security-releases/ url
- https://nvd.nist.gov/vuln/detail/CVE-2023-31047 url