cvelistv5 - cve-2023-28837

URL	Tags
security-advisories@github.com	https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size	Product
security-advisories@github.com	https://github.com/wagtail/wagtail/commit/3c0c64642b9e5b8d28b111263c7f4bddad6c3880	Patch
security-advisories@github.com	https://github.com/wagtail/wagtail/commit/c9d2fcd650a88d76ae122646142245e5927a9165	Release Notes
security-advisories@github.com	https://github.com/wagtail/wagtail/commit/cfa11bbe00dbe7ce8cd4c0bbfe2a898a690df2bf	Patch
security-advisories@github.com	https://github.com/wagtail/wagtail/commit/d4022310cbe497993459c3136311467c7ac6329a	Release Notes
security-advisories@github.com	https://github.com/wagtail/wagtail/releases/tag/v4.1.4	Release Notes
security-advisories@github.com	https://github.com/wagtail/wagtail/releases/tag/v4.2.2	Release Notes
security-advisories@github.com	https://github.com/wagtail/wagtail/security/advisories/GHSA-33pv-vcgh-jfg9	Mitigation, Vendor Advisory

gsd-2023-28837

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash of denial of service. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents. Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code. Patched versions have been released as Wagtail 4.1.4 and Wagtail 4.2.2). Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files.

Aliases

CVE-2023-28837

Aliases

CVE-2023-28837

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-28837",
    "id": "GSD-2023-28837"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-28837"
      ],
      "details": "Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail\u0027s handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash of denial of service. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents. Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code. Patched versions have been released as Wagtail 4.1.4 and Wagtail 4.2.2). Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files.",
      "id": "GSD-2023-28837",
      "modified": "2023-12-13T01:20:48.964011Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-28837",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "wagtail",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 4.1.4"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 4.2, \u003c 4.2.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "wagtail"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail\u0027s handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash of denial of service. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents. Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code. Patched versions have been released as Wagtail 4.1.4 and Wagtail 4.2.2). Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-400",
                "lang": "eng",
                "value": "CWE-400: Uncontrolled Resource Consumption"
              }
            ]
          },
          {
            "description": [
              {
                "cweId": "CWE-770",
                "lang": "eng",
                "value": "CWE-770: Allocation of Resources Without Limits or Throttling"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/wagtail/wagtail/releases/tag/v4.1.4",
            "refsource": "MISC",
            "url": "https://github.com/wagtail/wagtail/releases/tag/v4.1.4"
          },
          {
            "name": "https://github.com/wagtail/wagtail/releases/tag/v4.2.2",
            "refsource": "MISC",
            "url": "https://github.com/wagtail/wagtail/releases/tag/v4.2.2"
          },
          {
            "name": "https://github.com/wagtail/wagtail/security/advisories/GHSA-33pv-vcgh-jfg9",
            "refsource": "MISC",
            "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-33pv-vcgh-jfg9"
          },
          {
            "name": "https://github.com/wagtail/wagtail/commit/3c0c64642b9e5b8d28b111263c7f4bddad6c3880",
            "refsource": "MISC",
            "url": "https://github.com/wagtail/wagtail/commit/3c0c64642b9e5b8d28b111263c7f4bddad6c3880"
          },
          {
            "name": "https://github.com/wagtail/wagtail/commit/c9d2fcd650a88d76ae122646142245e5927a9165",
            "refsource": "MISC",
            "url": "https://github.com/wagtail/wagtail/commit/c9d2fcd650a88d76ae122646142245e5927a9165"
          },
          {
            "name": "https://github.com/wagtail/wagtail/commit/cfa11bbe00dbe7ce8cd4c0bbfe2a898a690df2bf",
            "refsource": "MISC",
            "url": "https://github.com/wagtail/wagtail/commit/cfa11bbe00dbe7ce8cd4c0bbfe2a898a690df2bf"
          },
          {
            "name": "https://github.com/wagtail/wagtail/commit/d4022310cbe497993459c3136311467c7ac6329a",
            "refsource": "MISC",
            "url": "https://github.com/wagtail/wagtail/commit/d4022310cbe497993459c3136311467c7ac6329a"
          },
          {
            "name": "https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size",
            "refsource": "MISC",
            "url": "https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-33pv-vcgh-jfg9",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c4.1.4||\u003e=4.2,\u003c4.2.2",
          "affected_versions": "All versions before 4.1.4, all versions starting from 4.2 before 4.2.2",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2023-04-12",
          "description": "Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail\u0027s handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash of denial of service. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents. Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code. Patched versions have been released as Wagtail 4.1.4 and Wagtail 4.2.2). Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files.",
          "fixed_versions": [
            "4.1.4",
            "4.2.2"
          ],
          "identifier": "CVE-2023-28837",
          "identifiers": [
            "CVE-2023-28837",
            "GHSA-33pv-vcgh-jfg9"
          ],
          "not_impacted": "All versions starting from 4.1.4 before 4.2, all versions starting from 4.2.2",
          "package_slug": "pypi/wagtail",
          "pubdate": "2023-04-03",
          "solution": "Upgrade to versions 4.1.4, 4.2.2 or above.",
          "title": "Allocation of Resources Without Limits or Throttling",
          "urls": [
            "https://github.com/wagtail/wagtail/security/advisories/GHSA-33pv-vcgh-jfg9",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-28837",
            "https://github.com/wagtail/wagtail/commit/3c0c64642b9e5b8d28b111263c7f4bddad6c3880",
            "https://github.com/wagtail/wagtail/commit/c9d2fcd650a88d76ae122646142245e5927a9165",
            "https://github.com/wagtail/wagtail/commit/cfa11bbe00dbe7ce8cd4c0bbfe2a898a690df2bf",
            "https://github.com/wagtail/wagtail/commit/d4022310cbe497993459c3136311467c7ac6329a",
            "https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size",
            "https://github.com/wagtail/wagtail/releases/tag/v4.1.4",
            "https://github.com/wagtail/wagtail/releases/tag/v4.2.2",
            "https://github.com/advisories/GHSA-33pv-vcgh-jfg9"
          ],
          "uuid": "1d0f7253-c32d-47a4-bf0e-7d4c007f96bb"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.2.2",
                "versionStartIncluding": "4.2",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.1.4",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-28837"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail\u0027s handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash of denial of service. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents. Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code. Patched versions have been released as Wagtail 4.1.4 and Wagtail 4.2.2). Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-400"
                },
                {
                  "lang": "en",
                  "value": "CWE-770"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/wagtail/wagtail/commit/cfa11bbe00dbe7ce8cd4c0bbfe2a898a690df2bf",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/wagtail/wagtail/commit/cfa11bbe00dbe7ce8cd4c0bbfe2a898a690df2bf"
            },
            {
              "name": "https://github.com/wagtail/wagtail/releases/tag/v4.2.2",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/wagtail/wagtail/releases/tag/v4.2.2"
            },
            {
              "name": "https://github.com/wagtail/wagtail/commit/3c0c64642b9e5b8d28b111263c7f4bddad6c3880",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/wagtail/wagtail/commit/3c0c64642b9e5b8d28b111263c7f4bddad6c3880"
            },
            {
              "name": "https://github.com/wagtail/wagtail/security/advisories/GHSA-33pv-vcgh-jfg9",
              "refsource": "MISC",
              "tags": [
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-33pv-vcgh-jfg9"
            },
            {
              "name": "https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size"
            },
            {
              "name": "https://github.com/wagtail/wagtail/commit/c9d2fcd650a88d76ae122646142245e5927a9165",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/wagtail/wagtail/commit/c9d2fcd650a88d76ae122646142245e5927a9165"
            },
            {
              "name": "https://github.com/wagtail/wagtail/commit/d4022310cbe497993459c3136311467c7ac6329a",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/wagtail/wagtail/commit/d4022310cbe497993459c3136311467c7ac6329a"
            },
            {
              "name": "https://github.com/wagtail/wagtail/releases/tag/v4.1.4",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/wagtail/wagtail/releases/tag/v4.1.4"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-04-12T18:55Z",
      "publishedDate": "2023-04-03T17:15Z"
    }
  }
}

ghsa-33pv-vcgh-jfg9

Vulnerability from github

Published

2023-04-03 19:18

Modified

2024-11-19 16:24

Severity ?

4.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
5.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Summary

Wagtail vulnerable to denial-of-service via memory exhaustion when uploading large files

Details

Impact

A memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash or denial of service.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents.

Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code.

Patches

Patched versions have been released as Wagtail 4.1.4 (for the LTS 4.1 branch) and Wagtail 4.2.2 (for the current 4.2 branch).

Workarounds

Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files. Exactly how this is done will vary based on your hosting environment, but here are a few references for common setups:

Nginx: client_max_body_size
Apache: LimitRequestBody
Cloudflare: Already imposes a limit of 100MB - 500MB depending on plan
CloudFront: SizeConstraint
Traefik: traefik.http.middlewares.limit.buffering.maxRequestBodyBytes

The changes themselves are deep inside Wagtail, making patching incredibly difficult.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2"
            },
            {
              "fixed": "4.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28837"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-03T19:18:09Z",
    "nvd_published_at": "2023-04-03T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA memory exhaustion bug exists in Wagtail\u0027s handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash or denial of service.\n\nThe vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents.\n\nImage uploads are [restricted to 10MB by default](https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size), however this validation only happens on the frontend and on the backend after the vulnerable code. \n\n### Patches\n\nPatched versions have been released as Wagtail 4.1.4 (for the LTS 4.1 branch) and Wagtail 4.2.2 (for the current 4.2 branch).\n\n### Workarounds\n\nSite owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files. Exactly how this is done will vary based on your hosting environment, but here are a few references for common setups:\n\n- Nginx: [`client_max_body_size`](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size)\n- Apache: [`LimitRequestBody`](https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody)\n- Cloudflare: Already [imposes a limit of 100MB - 500MB](https://developers.cloudflare.com/cache/about/default-cache-behavior#customization-options-and-limitations) depending on plan\n- CloudFront: [`SizeConstraint`](https://docs.aws.amazon.com/waf/latest/APIReference/API_SizeConstraintStatement.html)\n- Traefik: [`traefik.http.middlewares.limit.buffering.maxRequestBodyBytes`](https://doc.traefik.io/traefik/middlewares/http/buffering/#maxrequestbodybytes)\n\nThe changes themselves are deep inside Wagtail, making patching incredibly difficult.",
  "id": "GHSA-33pv-vcgh-jfg9",
  "modified": "2024-11-19T16:24:55Z",
  "published": "2023-04-03T19:18:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-33pv-vcgh-jfg9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28837"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/commit/3c0c64642b9e5b8d28b111263c7f4bddad6c3880"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/commit/c9d2fcd650a88d76ae122646142245e5927a9165"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/commit/cfa11bbe00dbe7ce8cd4c0bbfe2a898a690df2bf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/commit/d4022310cbe497993459c3136311467c7ac6329a"
    },
    {
      "type": "WEB",
      "url": "https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-56.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wagtail/wagtail"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/releases/tag/v4.1.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/releases/tag/v4.2.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Wagtail vulnerable to denial-of-service via memory exhaustion when uploading large files"
}

pysec-2023-56

Vulnerability from pysec

Published

2023-04-03 17:15

Modified

2023-05-04 03:49

Details

Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash of denial of service. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents. Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code. Patched versions have been released as Wagtail 4.1.4 and Wagtail 4.2.2). Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail",
        "purl": "pkg:pypi/wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "cfa11bbe00dbe7ce8cd4c0bbfe2a898a690df2bf"
            },
            {
              "fixed": "3c0c64642b9e5b8d28b111263c7f4bddad6c3880"
            },
            {
              "fixed": "c9d2fcd650a88d76ae122646142245e5927a9165"
            },
            {
              "fixed": "d4022310cbe497993459c3136311467c7ac6329a"
            }
          ],
          "repo": "https://github.com/wagtail/wagtail",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "4.2"
            },
            {
              "fixed": "4.2.2"
            },
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1",
        "0.2",
        "0.3",
        "0.3.1",
        "0.4",
        "0.4.1",
        "0.5",
        "0.6",
        "0.7",
        "0.8",
        "0.8.1",
        "0.8.10",
        "0.8.2",
        "0.8.3",
        "0.8.4",
        "0.8.5",
        "0.8.6",
        "0.8.7",
        "0.8.8",
        "0.8.9",
        "1.0",
        "1.0b1",
        "1.0b2",
        "1.0rc1",
        "1.0rc2",
        "1.1",
        "1.10",
        "1.10.1",
        "1.10rc1",
        "1.11",
        "1.11.1",
        "1.11rc1",
        "1.12",
        "1.12.1",
        "1.12.2",
        "1.12.3",
        "1.12.4",
        "1.12.5",
        "1.12.6",
        "1.12rc1",
        "1.13",
        "1.13.1",
        "1.13.2",
        "1.13.3",
        "1.13.4",
        "1.13rc1",
        "1.1rc1",
        "1.2",
        "1.2rc1",
        "1.3",
        "1.3.1",
        "1.3rc1",
        "1.4",
        "1.4.1",
        "1.4.2",
        "1.4.3",
        "1.4.4",
        "1.4.5",
        "1.4.6",
        "1.4rc1",
        "1.5",
        "1.5.1",
        "1.5.2",
        "1.5.3",
        "1.5rc1",
        "1.6",
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.6rc1",
        "1.7",
        "1.7rc1",
        "1.8",
        "1.8.1",
        "1.8.2",
        "1.8rc1",
        "1.9",
        "1.9.1",
        "1.9rc1",
        "2.0",
        "2.0.1",
        "2.0.2",
        "2.0b1",
        "2.0rc1",
        "2.1",
        "2.1.1",
        "2.1.2",
        "2.1.3",
        "2.10",
        "2.10.1",
        "2.10.2",
        "2.10rc1",
        "2.10rc2",
        "2.11",
        "2.11.1",
        "2.11.2",
        "2.11.3",
        "2.11.4",
        "2.11.5",
        "2.11.6",
        "2.11.7",
        "2.11.8",
        "2.11.9",
        "2.11rc1",
        "2.12",
        "2.12.1",
        "2.12.2",
        "2.12.3",
        "2.12.4",
        "2.12.5",
        "2.12.6",
        "2.12rc1",
        "2.13",
        "2.13.1",
        "2.13.2",
        "2.13.3",
        "2.13.4",
        "2.13.5",
        "2.13rc1",
        "2.13rc2",
        "2.13rc3",
        "2.14",
        "2.14.1",
        "2.14.2",
        "2.14rc1",
        "2.15",
        "2.15.1",
        "2.15.2",
        "2.15.3",
        "2.15.4",
        "2.15.5",
        "2.15.6",
        "2.15rc1",
        "2.15rc2",
        "2.16",
        "2.16.1",
        "2.16.2",
        "2.16.3",
        "2.16rc1",
        "2.16rc2",
        "2.1rc1",
        "2.1rc2",
        "2.2",
        "2.2.1",
        "2.2.2",
        "2.2rc1",
        "2.2rc2",
        "2.3",
        "2.3rc1",
        "2.3rc2",
        "2.4",
        "2.4rc1",
        "2.5",
        "2.5.1",
        "2.5.2",
        "2.5rc1",
        "2.6",
        "2.6.1",
        "2.6.2",
        "2.6.3",
        "2.6rc1",
        "2.7",
        "2.7.1",
        "2.7.2",
        "2.7.3",
        "2.7.4",
        "2.7rc1",
        "2.7rc2",
        "2.8",
        "2.8.1",
        "2.8.2",
        "2.8rc1",
        "2.9",
        "2.9.1",
        "2.9.2",
        "2.9.3",
        "2.9rc1",
        "3.0",
        "3.0.1",
        "3.0.2",
        "3.0.3",
        "3.0rc1",
        "3.0rc2",
        "3.0rc3",
        "4.0",
        "4.0.1",
        "4.0.2",
        "4.0.3",
        "4.0.4",
        "4.0rc1",
        "4.0rc2",
        "4.1",
        "4.1.1",
        "4.1.2",
        "4.1.3",
        "4.1rc1",
        "4.2",
        "4.2.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28837",
    "GHSA-33pv-vcgh-jfg9"
  ],
  "details": "Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail\u0027s handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash of denial of service. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents. Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code. Patched versions have been released as Wagtail 4.1.4 and Wagtail 4.2.2). Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files.",
  "id": "PYSEC-2023-56",
  "modified": "2023-05-04T03:49:48.874145Z",
  "published": "2023-04-03T17:15:00Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/wagtail/wagtail/commit/cfa11bbe00dbe7ce8cd4c0bbfe2a898a690df2bf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/releases/tag/v4.2.2"
    },
    {
      "type": "FIX",
      "url": "https://github.com/wagtail/wagtail/commit/3c0c64642b9e5b8d28b111263c7f4bddad6c3880"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-33pv-vcgh-jfg9"
    },
    {
      "type": "WEB",
      "url": "https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size"
    },
    {
      "type": "FIX",
      "url": "https://github.com/wagtail/wagtail/commit/c9d2fcd650a88d76ae122646142245e5927a9165"
    },
    {
      "type": "FIX",
      "url": "https://github.com/wagtail/wagtail/commit/d4022310cbe497993459c3136311467c7ac6329a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/releases/tag/v4.1.4"
    }
  ]
}

cve-2023-28837

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature

Action not permitted

cve-2023-28837

Vulnerability from cvelistv5

gsd-2023-28837

Vulnerability from gsd

ghsa-33pv-vcgh-jfg9

Vulnerability from github

Impact

Patches

Workarounds

pysec-2023-56

Vulnerability from pysec

Tags

Sightings

Nomenclature