Fluid Attacks Database

Description

There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	starlette	>=0 <0.25.0-1	0.25.0-1
debian 11	starlette	=0.14.1-1 \|\| =0.16.0-1 \|\| =0.18.0-1 \|\| =0.20.4-1 \|\| =0.23.1-1 \|\| =0.24.0-1 \|\| =0.25.0-1 \|\| =0.25.0-2 \|\| =0.26.1-1 \|\| =0.28.0-1 \|\| =0.30.0-1 \|\| =0.31.1-1 \|\| =0.37.2-1 \|\| =0.38.2-1 \|\| =0.39.1-1 \|\| =0.39.2-1 \|\| =0.41.0-1 \|\| =0.41.2-1 \|\| =0.41.3-1 \|\| =0.41.3-2 \|\| =0.46.1-1 \|\| =0.46.1-2 \|\| =0.46.1-3 \|\| =0.50.0-1 \|\| =1.0.0-1	-
debian 13	starlette	>=0 <0.25.0-1	0.25.0-1
debian 14	starlette	>=0 <0.25.0-1	0.25.0-1
pypi	starlette	>=0 <0.25.0	0.25.0

Aliases

1. CVE-2023-307982. NVD-2023-307983. OSV-DEBIAN-2023-307984. OSV-2023-307985. GHSA-74m5-2c7w-9w3x6. GCVE-2023-307987. SECURITY-TRACKER-CVE-2023-30798

References

1. https://github.com/encode/starlette/security/advisories/GHSA-74m5-2c7w-9w3x2. https://github.com/encode/starlette/commit/8c74c2c8dba7030154f8af18e016136bea1938fa3. https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2023-48.yaml4. https://vulncheck.com/advisories/starlette-multipartparser-dos

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.