CVE-2023-46695 – django

Package

Manager: pip
Name: django
Vulnerable Version: >=3.2a1 <3.2.23 || >=4.1a1 <4.1.13 || >=4.2a1 <4.2.7

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02674 pctl0.85261

Details

Django potential denial of service vulnerability in UsernameField on Windows An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.

Metadata

Created: 2023-11-02T06:30:25Z
Modified: 2024-09-20T16:05:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-qmf9-6jqf-j8fq/GHSA-qmf9-6jqf-j8fq.json
CWE IDs: ["CWE-400", "CWE-770"]
Alternative ID: GHSA-qmf9-6jqf-j8fq
Finding: F002
Auto approve: 1