BIT-django-2023-46695
Denial of Service vulnerability in django (PyPI)
What is BIT-django-2023-46695 About?
This vulnerability in Django's `UsernameField` allows for a potential Denial of Service (DoS) attack on Windows due to the slow NFKC normalization of Unicode characters. An attacker can craft inputs with a very large number of Unicode characters, causing significant processing delays.
Affected Software
- django
- >3.2a1, <3.2.23
- >4.1a1, <4.1.13
- >4.2a1, <4.2.7
- >3.2, <3.2.23
Technical Details
Django versions 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7 are affected by a Denial of Service vulnerability related to django.contrib.auth.forms.UsernameField. On Windows systems, the NFKC (Normalization Form Compatibility Composition) Unicode normalization process, which is used for handling usernames, is unexpectedly slow. An attacker can exploit this by submitting inputs containing an extraordinarily large number of Unicode characters. When UsernameField attempts to process and normalize these lengthy strings, the inherently slow NFKC operation on Windows consumes excessive CPU resources, leading to a Denial of Service for the application.
What is the Impact of BIT-django-2023-46695?
Successful exploitation may allow attackers to consume excessive server resources, leading to a denial of service and making the application unavailable to legitimate users.
What is the Exploitability of BIT-django-2023-46695?
Exploitation involves submitting very long Unicode strings to fields handled by django.contrib.auth.forms.UsernameField. The complexity is low, as it only requires the ability to send input to the username field. No specific authentication is required if the username field is exposed during user registration or login attempts. This is a remote attack. The primary prerequisite is that the Django application is running on Windows and uses the affected UsernameField. The risk is higher for publicly accessible registration or login forms, as unauthenticated attackers can easily trigger the resource exhaustion.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-django-2023-46695?
Available Upgrade Options
- django
- >3.2, <3.2.23 → Upgrade to 3.2.23
- django
- >4.1a1, <4.1.13 → Upgrade to 4.1.13
- django
- >4.2a1, <4.2.7 → Upgrade to 4.2.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://groups.google.com/forum/#!forum/django-announce
- https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b
- https://github.com/django/django/commit/4965bfdde2e5a5c883685019e57d123a3368a75e
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://security.netapp.com/advisory/ntap-20231214-0001/
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-222.yaml
- https://nvd.nist.gov/vuln/detail/CVE-2023-46695
- https://security.netapp.com/advisory/ntap-20231214-0001
- https://github.com/django/django/commit/048a9ebb6ea468426cb4e57c71572cbbd975517f
- https://www.djangoproject.com/weblog/2023/nov/01/security-releases
What are Similar Vulnerabilities to BIT-django-2023-46695?
Similar Vulnerabilities: CVE-2022-41121 , CVE-2022-2804 , CVE-2021-33438 , CVE-2020-13777 , CVE-2019-15949
