CVE-2023-31047
Validation Bypass vulnerability in django (PyPI)
What is CVE-2023-31047 About?
This Validation Bypass vulnerability in Django allows an attacker to circumvent validation when uploading multiple files using a single form field. Despite documentation suggesting otherwise, only the last uploaded file was validated, enabling malicious files to pass undetected. Exploitation is relatively easy if the application design relies on this faulty validation for security.
Affected Software
Technical Details
The vulnerability in Django versions 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1 relates to the handling of multiple file uploads with a single forms.FileField or forms.ImageField. While Django's documentation incorrectly implied support for validating multiple files, the underlying implementation only applied validation to the last file uploaded in a multi-file submission. This means that if an attacker submitted multiple files, with only the final file being legitimate or passing validation, any malicious files submitted before it would bypass the validation checks entirely. For example, if a form expected an image, an attacker could submit a malicious executable followed by a valid image file; the image would pass validation, and the executable would be accepted without scrutiny, leading to a validation bypass.
What is the Impact of CVE-2023-31047?
Successful exploitation may allow attackers to upload malicious files that bypass validation checks, potentially leading to arbitrary code execution, denial-of-service, or other security compromises depending on how the uploaded files are processed and stored.
What is the Exploitability of CVE-2023-31047?
Exploitation of this vulnerability is of low complexity. An attacker needs to submit a form that uses a vulnerable FileField or ImageField and simultaneously uploads multiple files, with the malicious file being one of the earlier ones in the submission. No specific authentication is required if the file upload functionality is available to unauthenticated users, otherwise, standard user authentication would be sufficient. This is typically a remote exploitation scenario, attacking a web application designed to accept file uploads. There are no special privilege requirements. The primary prerequisite is the presence of an affected Django version and a form that allows multiple file uploads via a single field, and specifically relies on the form field's validation for security purposes. Risk factors include web applications that directly store or serve user-uploaded content without further server-side processing and validation after initial upload, as the initial validation step can be bypassed.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-31047?
Available Upgrade Options
- django
- >3.2, <3.2.19 → Upgrade to 3.2.19
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/PYSEC-2023-61
- https://security.netapp.com/advisory/ntap-20230609-0008/
- https://www.djangoproject.com/weblog/2023/may/03/security-releases/
- https://groups.google.com/forum/#%21forum/django-announce
- https://www.djangoproject.com/weblog/2023/may/03/security-releases/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/
- https://groups.google.com/forum/#!forum/django-announce
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://docs.djangoproject.com/en/4.2/releases/security/
What are Similar Vulnerabilities to CVE-2023-31047?
Similar Vulnerabilities: CVE-2023-31046 , CVE-2022-48618 , CVE-2022-42887 , CVE-2021-39328 , CVE-2020-13838
