Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2023-28837
HistoryApr 03, 2023 - 5:15 p.m.

CVE-2023-28837

2023-04-0317:15:07
CWE-400
CWE-770
[email protected]
web.nvd.nist.gov
11
wagtail
cms
django
cve-2023-28837
vulnerability
memory exhaustion
denial of service
file upload

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

5 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.4%

JSON

Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail’s handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash of denial of service.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents.

Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code.

Patched versions have been released as Wagtail 4.1.4 and Wagtail 4.2.2). Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files.

Affected configurations

Vulners
NVD
Node
wagtailwagtailRange<4.1.4
OR
wagtailwagtailRange4.24.2.2

CNA Affected

[
  {
    "vendor": "wagtail",
    "product": "wagtail",
    "versions": [
      {
        "version": "< 4.1.4",
        "status": "affected"
      },
      {
        "version": ">= 4.2, < 4.2.2",
        "status": "affected"
      }
    ]
  }
]

Related

veracode 1
osv 3
prion 1
nessus 1
freebsd 1
cvelist 1
nvd 1
github 1
veracode
veracode
Denial Of Service (DoS)
2023-04-11 08:54:10
osv
osv
CVE-2023-28837
2023-04-03 17:15:07
PYSEC-2023-56
2023-04-03 17:15:00
Wagtail vulnerable to denial-of-service via memory exhaustion when uploading large files
2023-04-03 19:18:09
prion
prion
Input validation
2023-04-03 17:15:00
nessus
nessus
FreeBSD : py-wagtail -- DoS vulnerability (2def7c4b-736f-4754-9f03-236fcb586d91)
2023-08-31 00:00:00
freebsd
freebsd
py-wagtail -- DoS vulnerability
2023-04-03 00:00:00
cvelist
cvelist
CVE-2023-28837 Wagtail vulnerable to denial-of-service via memory exhaustion when uploading large files
2023-04-03 16:41:19
nvd
nvd
CVE-2023-28837
2023-04-03 17:15:07
github
github
Wagtail vulnerable to denial-of-service via memory exhaustion when uploading large files
2023-04-03 19:18:09

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

5 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.4%

JSON
Related for CVE-2023-28837
veracode1osv3prion1nessus1freebsd1cvelist1nvd1github1