CVE-2023-30798: MultipartParser DOS with too many fields or files in Starlette Framework
First published: Tue Feb 14 2023(Updated: )
## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-74m5-2c7w-9w3x. This link is maintained to preserve external references. ## Original Description There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
Credit: disclosure@vulncheck.com disclosure@vulncheck.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Cloud Pak for Business Automation | <0.25.0 | |
| pip/starlette | <0.25.0 | 0.25.0 |
| IBM Cloud Pak for Business Automation | <=V22.0.2 - V22.0.2-IF004 | |
| IBM Cloud Pak for Business Automation | <=V21.0.3 - V21.0.3-IF020 | |
| IBM Cloud Pak for Business Automation | <=V22.0.1 - V22.0.1-IF006 and later fixesV21.0.2 - V21.0.2-IF012 and later fixesV21.0.1 - V21.0.1-IF007 and later fixesV20.0.1 - V20.0.3 and later fixesV19.0.1 - V19.0.3 and later fixesV18.0.0 - V18.0.2 and later fixes | |
| Encode Starlette | <0.25.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/encode/starlette/commit/8c74c2c8dba7030154f8af18e016136bea1938fa
- https://github.com/encode/starlette/security/advisories/GHSA-74m5-2c7w-9w3x
- https://vulncheck.com/advisories/starlette-multipartparser-dos
- https://nvd.nist.gov/vuln/detail/CVE-2023-30798
- https://github.com/advisories/GHSA-3qj8-93xh-pwh2 (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/247595
- https://www.ibm.com/support/pages/node/6998727 (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2023-48.yaml
- https://github.com/advisories/GHSA-74m5-2c7w-9w3x (Advisory)
Frequently Asked Questions
What is CVE-2023-30798?
CVE-2023-30798 is a vulnerability in the MultipartParser of Encode Starlette, which allows an attacker to cause a denial of service by sending specially-crafted requests.
What is the severity of CVE-2023-30798?
The severity of CVE-2023-30798 is high, with a CVSS score of 7.5.
How does CVE-2023-30798 affect Starlette framework?
CVE-2023-30798 affects the Encode Starlette framework in versions prior to 0.25.0.
How can an attacker exploit CVE-2023-30798?
An attacker can exploit CVE-2023-30798 by sending specially-crafted requests to the affected system.
Is there a fix available for CVE-2023-30798?
Yes, the vulnerability in Encode Starlette can be fixed by upgrading to version 0.25.0 or later.
- collector/nvd-index
- agent/author
- agent/type
- agent/remedy
- agent/weakness
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/title
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-3qj8-93xh-pwh2
- agent/software-canonical-lookup
- alias/GHSA-74m5-2c7w-9w3x
- alias/CVE-2023-30798
- agent/references
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- collector/github-advisory
- agent/tags
- collector/ibm-support
- source/IBM
- vendor/encode
- canonical/ibm cloud pak for business automation
- package-manager/pip
- canonical/encode starlette
- vendor/ibm
- version/ibm cloud pak for business automation/v22.0.2 - v22.0.2-if004
- version/ibm cloud pak for business automation/v21.0.3 - v21.0.3-if020
- version/ibm cloud pak for business automation/v22.0.1 - v22.0.1-if006 and later fixesv21.0.2 - v21.0.2-if012 and later fixesv21.0.1 - v21.0.1-if007 and later fixesv20.0.1 - v20.0.3 and later fixesv19.0.1 - v19.0.3 and later fixesv18.0.0 - v18.0.2 and later fixes