CVE-2023-31047
python-django - security update
9.8
CRITICAL
CVSS 3.1
EPSS 0.16%
Description
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
How to fix CVE-2023-31047
To remediate CVE-2023-31047, upgrade the affected package to a fixed version below.
- —upgrade to 3.2.19 or later
- —upgrade to 2:2.2.28-1~deb11u2 or later
- —upgrade to 1:1.11.29-1+deb10u8 or later
- —upgrade to 3.2.19 or later
- —upgrade to 3.2.19 or later
Is CVE-2023-31047 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- >= 3.2.0, < 3.2.19, >= 4.0.0, < 4.1.9 | >= 4.2.0, <= 4.2.0
- from 0, < 2:2.2.28-1~deb11u2
- from 0, < 1:1.11.29-1+deb10u8
- >= 3.2a1, < 3.2.19
- >= 3.2, < 3.2.19, >= 4.0, < 4.1.9, >= 4.2, < 4.2.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |