Input validation error in Django

#VU32759 Input validation error in Django

Published: 2012-07-31 | Updated: 2020-07-28

Vulnerability identifier: #VU32759

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2012-3443

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Django
Web applications / CMS

Vendor: Django Software Foundation

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Django: 1.3.1

External links
http://www.debian.org/security/2012/dsa-2529
http://www.mandriva.com/security/advisories?name=MDVSA-2012:143
http://www.openwall.com/lists/oss-security/2012/07/31/1
http://www.openwall.com/lists/oss-security/2012/07/31/2
http://www.ubuntu.com/usn/USN-1560-1
http://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in py-django (Alpine package)

Input validation error in Django