Lucene search

K
cve[email protected]CVE-2023-28837
HistoryApr 03, 2023 - 5:15 p.m.

CVE-2023-28837

2023-04-0317:15:07
CWE-400
CWE-770
web.nvd.nist.gov
11
wagtail
cms
django
cve-2023-28837
vulnerability
memory exhaustion
denial of service
file upload

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

5 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.2%

Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail’s handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash of denial of service.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents.

Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code.

Patched versions have been released as Wagtail 4.1.4 and Wagtail 4.2.2). Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files.

Affected configurations

Vulners
NVD
Node
wagtailwagtailRange<4.1.4
OR
wagtailwagtailRange4.24.2.2

CNA Affected

[
  {
    "vendor": "wagtail",
    "product": "wagtail",
    "versions": [
      {
        "version": "< 4.1.4",
        "status": "affected"
      },
      {
        "version": ">= 4.2, < 4.2.2",
        "status": "affected"
      }
    ]
  }
]

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

5 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.2%