CVE-2023-41164
Denial of Service vulnerability in django (PyPI)
What is CVE-2023-41164 About?
This vulnerability is a Denial of Service (DoS) in Django's `django.utils.encoding.uri_to_iri()` function. It allows attackers to cause resource exhaustion and potential DoS by providing inputs with a very large number of Unicode characters. Exploitation is relatively easy if an attacker can control inputs processed by this function.
Affected Software
- django
- >4.2, <4.2.5
- >3.2, <3.2.21
- >4.1, <4.1.11
Technical Details
In Django versions 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, the django.utils.encoding.uri_to_iri() function is vulnerable to a denial of service attack. This function is responsible for converting URIs (Uniform Resource Identifiers) to IRIs (Internationalized Resource Identifiers). The vulnerability arises when this function processes an input string containing an exceptionally large number of Unicode characters. The conversion process, particularly operations involving character encoding and decoding, becomes highly inefficient and computationally intensive with such inputs. This leads to excessive CPU consumption and memory usage, effectively tying up server resources and rendering the application unresponsive, thus causing a denial of service.
What is the Impact of CVE-2023-41164?
Successful exploitation may allow attackers to disrupt web services, cause server unresponsiveness, or lead to resource exhaustion, resulting in operational downtime and degraded user experience.
What is the Exploitability of CVE-2023-41164?
Exploitation of this vulnerability is of low to medium complexity, requiring the attacker to craft a request containing a URI with a very large number of Unicode characters. There are typically no specific authentication or privilege requirements, as the attack vectors usually involve user-supplied input to web forms or URLs. It is a remote vulnerability, exploitable over the network without direct access to the server. The main risk factor is an application's exposure to arbitrary user input that is subsequently processed by the vulnerable uri_to_iri() function.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-41164?
Available Upgrade Options
- django
- >3.2, <3.2.21 → Upgrade to 3.2.21
- django
- >4.1, <4.1.11 → Upgrade to 4.1.11
- django
- >4.2, <4.2.5 → Upgrade to 4.2.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/
- https://github.com/django/django
- https://osv.dev/vulnerability/GHSA-7h4p-27mh-hmrw
- https://github.com/django/django/commit/6f030b1149bd8fa4ba90452e77cb3edc095ce54e
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://nvd.nist.gov/vuln/detail/CVE-2023-41164
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://www.djangoproject.com/weblog/2023/sep/04/security-releases/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://groups.google.com/forum/#%21forum/django-announce
What are Similar Vulnerabilities to CVE-2023-41164?
Similar Vulnerabilities: CVE-2023-43666 , CVE-2023-46797 , CVE-2023-46214 , CVE-2023-34057 , CVE-2023-35928
