CVE-2023-46695: Django: CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows
First published: Wed Nov 01 2023(Updated: )
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Djangoproject Django | >=3.2<3.2.23 | |
| Djangoproject Django | >=4.1<4.1.13 | |
| Djangoproject Django | >=4.2.<4.2.7 | |
| pip/Django | >=4.2<4.2.7 | 4.2.7 |
| pip/Django | >=4.1<4.1.13 | 4.1.13 |
| pip/Django | >=3.2<3.2.23 | 3.2.23 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://groups.google.com/forum/#%21forum/django-announce
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://www.djangoproject.com/weblog/2023/nov/01/security-releases/
- https://security.netapp.com/advisory/ntap-20231214-0001/
- https://nvd.nist.gov/vuln/detail/CVE-2023-46695
- https://groups.google.com/forum/#!forum/django-announce
- https://github.com/django/django/commit/048a9ebb6ea468426cb4e57c71572cbbd975517f
- https://github.com/django/django/commit/4965bfdde2e5a5c883685019e57d123a3368a75e
- https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-222.yaml
- https://github.com/advisories/GHSA-qmf9-6jqf-j8fq (Advisory)
- https://docs.djangoproject.com/en/4.2/releases/security
- https://security.netapp.com/advisory/ntap-20231214-0001
- https://www.djangoproject.com/weblog/2023/nov/01/security-releases
Frequently Asked Questions
What is the vulnerability ID for this Django vulnerability?
The vulnerability ID for this Django vulnerability is CVE-2023-46695.
What is the title of this Django vulnerability?
The title of this Django vulnerability is 'Potential denial of service vulnerability in UsernameField on Windows'.
What is the severity level of this Django vulnerability?
The severity level of this Django vulnerability is not mentioned in the provided information. Please refer to the provided references for more details.
How can I fix this Django vulnerability?
To fix this Django vulnerability, update Django to version 3.2.23, 4.1.13, or 4.2.7 depending on your current version.
Where can I find more information about this Django vulnerability?
You can find more information about this Django vulnerability in the provided references.
- collector/oss-sec
- alias/CVE-2023-46695
- collector/mitre-cve
- collector/nvd-api
- agent/type
- agent/author
- agent/remedy
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-qmf9-6jqf-j8fq
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/title
- agent/last-modified-date
- agent/references
- agent/description
- agent/softwarecombine
- agent/tags
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- vendor/djangoproject
- canonical/djangoproject django
- version/djangoproject django/3.2
- version/djangoproject django/4.1
- version/djangoproject django/4.2.
- package-manager/pip