The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5465 advisory.
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
(CVE-2023-23969)
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of- service attack. (CVE-2023-24580)
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django’s Uploading multiple files documentation suggested otherwise. (CVE-2023-31047)
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs. (CVE-2023-36053)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dsa-5465. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(179346);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/08/04");
script_cve_id(
"CVE-2023-23969",
"CVE-2023-24580",
"CVE-2023-31047",
"CVE-2023-36053"
);
script_name(english:"Debian DSA-5465-1 : python-django - security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dsa-5465 advisory.
- In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language
headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service
vector via excessive memory usage if the raw value of Accept-Language headers is very large.
(CVE-2023-23969)
- An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10,
and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could
result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-
service attack. (CVE-2023-24580)
- In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation
when using one form field to upload multiple files. This multiple upload has never been supported by
forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's
Uploading multiple files documentation suggested otherwise. (CVE-2023-31047)
- In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are
subject to a potential ReDoS (regular expression denial of service) attack via a very large number of
domain name labels of emails and URLs. (CVE-2023-36053)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://security-tracker.debian.org/tracker/source-package/python-django
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?22eb32f6");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2023/dsa-5465");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-23969");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-24580");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-31047");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-36053");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bullseye/python-django");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bookworm/python-django");
script_set_attribute(attribute:"solution", value:
"Upgrade the python-django packages.
For the stable distribution (bookworm), this problem has been fixed in version 3");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-31047");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/02/01");
script_set_attribute(attribute:"patch_publication_date", value:"2023/08/03");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/08/04");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-django-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python3-django");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(11)\.[0-9]+|^(12)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0 / 12.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '11.0', 'prefix': 'python-django-doc', 'reference': '2:2.2.28-1~deb11u2'},
{'release': '11.0', 'prefix': 'python3-django', 'reference': '2:2.2.28-1~deb11u2'},
{'release': '12.0', 'prefix': 'python-django-doc', 'reference': '3:3.2.19-1+deb12u1'},
{'release': '12.0', 'prefix': 'python3-django', 'reference': '3:3.2.19-1+deb12u1'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var _release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (_release && prefix && reference) {
if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python-django-doc / python3-django');
}
Vendor | Product | Version | CPE |
---|---|---|---|
debian | debian_linux | python-django-doc | p-cpe:/a:debian:debian_linux:python-django-doc |
debian | debian_linux | python3-django | p-cpe:/a:debian:debian_linux:python3-django |
debian | debian_linux | 11.0 | cpe:/o:debian:debian_linux:11.0 |
debian | debian_linux | 12.0 | cpe:/o:debian:debian_linux:12.0 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23969
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24580
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31047
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36053
www.nessus.org/u?22eb32f6
packages.debian.org/source/bookworm/python-django
packages.debian.org/source/bullseye/python-django
security-tracker.debian.org/tracker/CVE-2023-23969
security-tracker.debian.org/tracker/CVE-2023-24580
security-tracker.debian.org/tracker/CVE-2023-31047
security-tracker.debian.org/tracker/CVE-2023-36053
www.debian.org/security/2023/dsa-5465