Bug 1210866 (CVE-2023-31047) - VUL-0: CVE-2023-31047: python-Django: potential bypass of validation when uploading multiple files using one form field
Summary: VUL-0: CVE-2023-31047: python-Django: potential bypass of validation when upl...
Status: RESOLVED FIXED
Alias: CVE-2023-31047
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/364518/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-31047:5.6:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-26 08:59 UTC by Carlos López
Modified: 2024-08-02 12:50 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Attached patches (16.56 KB, application/zip)
2023-04-26 08:59 UTC, Carlos López 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2023-04-26 08:59:21 UTC 
Created attachment 866611 [details]
Attached patches

CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field
=================================================================================================

Uploading multiple files using one form field has never been supported by
``forms.FileField`` or ``forms.ImageField`` as only the last uploaded file was
validated. Unfortunately, "Uploading multiple files" topic suggested otherwise.

In order to avoid the vulnerability, ``ClearableFileInput`` and
``django.forms.FileInput`` form widgets now raise ``ValueError`` when
the ``multiple`` HTML attribute is set on them. To prevent the exception and
keep the old behavior, set ``allow_multiple_selected`` to ``True``.

For more details on using the new attribute and handling of multiple files
through a single field, see "Uploading multiple files".

This issue has Low severity, according to the Django security policy [1].

Affected versions
=================

* Django main development branch
* Django 4.2
* Django 4.1
* Django 3.2

Resolution
==========

Included with this email are patches implementing the changes described above
for each affected version of Django. On the release date, these patches will be
applied to the Django development repository and the following releases will be
issued along with disclosure of the issues:

* Django 4.2.1
* Django 4.1.9
* Django 3.2.19

[1] https://www.djangoproject.com/security/
Comment 3 Carlos López 2023-04-26 12:30:02 UTC 
CVSS is below 7.0, so this is Won't Fix for SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Django and SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Django1. On SUSE:SLE-15:Update/python-Django the patch should apply cleanly.
Comment 4 Markéta Machová 2023-05-02 07:38:12 UTC 
SUSE:SLE-15:Update/python-Django is 2.0, which isn't listed in affected versions (because it is not supported by upstream anymore). Anyway, I'll take a look whether the bug is present in such an old version.
Comment 5 Markéta Machová 2023-05-02 09:02:05 UTC 
The code looked clean enough (no Django 2.2+ or Python 3.7+ language features, AFAICT), so here it is: https://build.suse.de/request/show/296872. If it is wrong, please let me know, I may have overlooked something.
Comment 6 Carlos López 2023-05-03 15:25:37 UTC 
Public:
https://www.openwall.com/lists/oss-security/2023/05/03/1
Comment 7 Robert Frohl 2023-05-04 08:59:47 UTC 
done, closing
Comment 9 Maintenance Automation 2023-07-14 21:42:54 UTC 
SUSE-SU-2023:2839-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1210866, 1212742
CVE References: CVE-2023-31047, CVE-2023-36053
Sources used:
openSUSE Leap 15.5 (src): python-Django-2.0.7-150000.1.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.