CVE-2023-23969

Description

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.

How to fix CVE-2023-23969

To remediate CVE-2023-23969, upgrade the affected package to a fixed version below.

• —upgrade to 3.2.17 or later
• —upgrade to 2:2.2.28-1~deb11u2 or later
• —upgrade to 1:1.11.29-1+deb10u6 or later
• —upgrade to 3.2.17 or later
• —upgrade to 3.2.17 or later

Is CVE-2023-23969 being exploited?

Moderate — EPSS is 5.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (5)

• >= 3.2.0, < 3.2.17, >= 4.0.0, < 4.0.9, >= 4.1.0, < 4.1.6
• from 0, < 2:2.2.28-1~deb11u2
• from 0, < 1:1.11.29-1+deb10u6
• >= 3.2a1, < 3.2.17
• >= 3.2, < 3.2.17, >= 4.0, < 4.0.9, >= 4.1, < 4.1.6

CVSS scores

References (21)

• ADVISORYgithub.com/advisories/GHSA-q2jf-h9jm-m7p4
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-23969
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-23969
• ADVISORYwww.djangoproject.com/weblog/2023/feb/01/security-releases/
• PATCH