CVE-2023-31047

Name of the Vulnerable Software and Affected Versions Django versions 3.2 through 3.2.18 Django versions 4.0 through 4.1.8 Django versions 4.2 through 4.2.0

Description The issue is related to insufficient input validation in the forms.FileField and forms.ImageField components of the Django web application platform. This allows a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The vulnerability is caused by the ability to bypass validation when using one form field to upload multiple files, which has never been supported by forms.FileField or forms.ImageField. However, Django's documentation suggested otherwise, leading to the vulnerability.

Recommendations For Django versions 3.2 through 3.2.18, update to version 3.2.19 or later. For Django versions 4.0 through 4.1.8, update to version 4.1.9 or later. For Django versions 4.2 through 4.2.0, update to version 4.2.1 or later. As a temporary workaround, consider disabling the use of forms.FileField and forms.ImageField for multiple file uploads until a patch is available. Restrict access to the forms.FileField and forms.ImageField components to minimize the risk of exploitation. Avoid using these components for multiple file uploads until the issue is resolved.