CVE-2023-23969

2023-02-0119:15:08

Debian Security Bug Tracker

security-tracker.debian.org

django

parsed values

accept-language

headers

denial-of-service

memory usage

excessive

cve-2023-23969

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.009 Low

EPSS

Percentile

82.6%

JSON

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.

OSVersionArchitecturePackageVersionFilename
Debian12allpython-django< 3:3.2.17-1python-django_3:3.2.17-1_all.deb
Debian11allpython-django< 2:2.2.28-1~deb11u2python-django_2:2.2.28-1~deb11u2_all.deb
Debian999allpython-django< 3:3.2.17-1python-django_3:3.2.17-1_all.deb
Debian13allpython-django< 3:3.2.17-1python-django_3:3.2.17-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	python-django	< 3:3.2.17-1	python-django_3:3.2.17-1_all.deb
Debian	11	all	python-django	< 2:2.2.28-1~deb11u2	python-django_2:2.2.28-1~deb11u2_all.deb
Debian	999	all	python-django	< 3:3.2.17-1	python-django_3:3.2.17-1_all.deb
Debian	13	all	python-django	< 3:3.2.17-1	python-django_3:3.2.17-1_all.deb