Bug 2192565 (CVE-2023-31047) - CVE-2023-31047 python-django: Potential bypass of validation when uploading multiple files using one form field
Summary: CVE-2023-31047 python-django: Potential bypass of validation when uploading m...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-31047
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2196195 2196196 2196197 2196199 2238376
Blocks: 2190007
TreeView+ depends on / blocked
 
Reported: 2023-05-02 10:00 UTC by ybuenos
Modified: 2023-11-08 14:17 UTC (History)
46 users (show)

Fixed In Version: python-django 3.2.19, python-django 4.1.9, python-django 4.2.1
Doc Type: If docs needed, set a value
Doc Text:
A bypass of validation flaw was found in python-django. When uploading multiple files using one form field, an attacker could upload multiple files without validation due to the server only validating the last file uploaded.
Clone Of:
Environment:
Last Closed: 2023-08-09 19:12:49 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:4591 0 None None None 2023-08-09 14:17:57 UTC
Red Hat Product Errata RHSA-2023:5931 0 None None None 2023-10-19 13:13:10 UTC
Red Hat Product Errata RHSA-2023:6818 0 None None None 2023-11-08 14:17:22 UTC

Description ybuenos 2023-05-02 10:00:12 UTC 
Uploading multiple files using one form field has never been supported by ``forms.FileField`` or ``forms.ImageField`` as only the last uploaded file was validated. Unfortunately, "Uploading multiple files" topic suggested otherwise.

In order to avoid the vulnerability, ``ClearableFileInput`` and ``django.forms.FileInput`` form widgets now raise ``ValueError`` when the ``multiple`` HTML attribute is set on them. To prevent the exception and keep the old behavior, set ``allow_multiple_selected`` to ``True``.

For more details on using the new attribute and handling of multiple files through a single field, see "Uploading multiple files".
Comment 1 ybuenos 2023-05-08 09:29:13 UTC 
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 2196195]


Created python-django3 tracking bugs for this issue:

Affects: epel-all [bug 2196196]
Affects: fedora-all [bug 2196197]
Comment 4 errata-xmlrpc 2023-08-09 14:17:55 UTC 
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2023:4591 https://access.redhat.com/errata/RHSA-2023:4591
Comment 5 Product Security DevOps Team 2023-08-09 19:12:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-31047
Comment 7 errata-xmlrpc 2023-10-19 13:13:08 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.13 for RHEL 8

Via RHSA-2023:5931 https://access.redhat.com/errata/RHSA-2023:5931
Comment 8 errata-xmlrpc 2023-11-08 14:17:19 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.14 for RHEL 8

Via RHSA-2023:6818 https://access.redhat.com/errata/RHSA-2023:6818
Note You need to log in before you can comment on or make changes to this bug.