7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
42.0%
In Django 3.2.x before 3.2.18, 4.0.x before 4.0.10 and 4.1.x before 4.1.7, the multipart request parser was subject to a Denial of Service attack. The multipart request parser processes the request body on endpoints with a form and any other POST endpoints as well. The parser was processing an unlimited number of empty/file multipart-parts. For each file part a new temporary file was opened and kept open for the entire duration of the request. The parsing and tracking of an unbound number of parts/files can lead to too many files being open and memory exhaustion.
Side note: The DoS vectors are not unique to the multipart request parser in Django. Many other large vendors (other programming languages/frameworks/applications) were notified about the DoS vectors as well and an embargo date was set for the coordinated disclosure.
The Django maintainers took part in a coordinated disclosure of the DoS vulnerability with many other large vendors. This required scheduling a dedicated release for the fixes in Django.
The Django maintainers shared their patch with me well in advance for validation and refined it based on feedback.
Too many open files can stop other requests from opening files e.g. for rendering templates.
High memory usage can lead to the application getting OOM killed.
When the application gets OOM killed, all the open files are left behind, which in turn can lead to exhaustion of disk space/inodes.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
42.0%