Headline
CVE-2023-41164: Django security releases issued: 4.2.5, 4.1.11, and 3.2.21
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Posted by Mariusz Felisiak on September 4, 2023
In accordance with our security release policy, the Django team is issuing Django 4.2.5, Django 4.1.11, and Django 3.2.21. These releases addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.
CVE-2023-41164: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri()
django.utils.encoding.uri_to_iri() was subject to potential denial of service attack via certain inputs with a very large number of Unicode characters.
Thanks MProgrammer for the report.
This issue has severity “moderate” according to the Django security policy.
Affected supported versions
- Django main branch
- Django 4.2
- Django 4.1
- Django 3.2
General notes regarding security reporting
As always, we ask that potential security issues be reported via private email to [email protected], and not via Django’s Trac instance or the django-developers list. Please see our security policies for further information.
Back to Top
Related news
Red Hat Security Advisory 2024-2010-03 - An update is now available for Red Hat Satellite 6.15. The release contains a new version of Satellite and important security fixes for various components. Issues addressed include HTTP request smuggling, crlf injection, denial of service, file disclosure, and traversal vulnerabilities.
Red Hat Security Advisory 2024-1878-03 - An updated version of Red Hat Update Infrastructure is now available. RHUI 4.8 fixes several security an operational bugs, adds some new features and upgrades the underlying Pulp to a newer version. Issues addressed include HTTP request smuggling, crlf injection, denial of service, and traversal vulnerabilities.
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Red Hat Security Advisory 2023-5701-01 - An update is now available for Red Hat Ansible Automation Platform 2.3. Issues addressed include a denial of service vulnerability.
Ubuntu Security Notice 6414-2 - USN-6414-1 and USN-6378-1 fixed CVE-2023-43665 and CVE-2023-41164 in Django, respectively. This update provides the corresponding update for Ubuntu 18.04 LTS. Wenchao Li discovered that the Django Truncator function incorrectly handled very long HTML input. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.
An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-41164: An uncontrolled resource consumption vulnerability was found in Django. Feeding certain inputs with a very large number of Unicode characters to the URI to IRI encoder function can lead to a denial of service.