Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-31047

In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.

Published

2023-05-07T02:15:08.917

Last Modified

2025-01-29T16:15:42.863

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Primary
CWE-20
Type: Secondary
CWE-862

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	djangoproject	django	< 3.2.19	Yes
Application	djangoproject	django	< 4.1.9	Yes
Application	djangoproject	django	4.2	Yes
Application	djangoproject	django	4.2	Yes
Application	djangoproject	django	4.2	Yes
Operating System	fedoraproject	fedora	38	Yes

References

https://docs.djangoproject.com/en/4.2/releases/security/ Vendor Advisory ([email protected])
https://groups.google.com/forum/#%21forum/django-announce ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/ ([email protected])
https://security.netapp.com/advisory/ntap-20230609-0008/ ([email protected])
https://www.djangoproject.com/weblog/2023/may/03/security-releases/ Vendor Advisory ([email protected])
https://docs.djangoproject.com/en/4.2/releases/security/ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://groups.google.com/forum/#%21forum/django-announce (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/ (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20230609-0008/ (af854a3a-2127-422b-91ae-364da2661108)
https://www.djangoproject.com/weblog/2023/may/03/security-releases/ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)