rhsa-2023_4591
Vulnerability from csaf_redhat
Published
2023-08-09 14:20
Modified
2024-11-06 03:31
Summary
Red Hat Security Advisory: RHUI 4.5.0 release - Security, Bug Fixes, and Enhancements

Notes

Topic
An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.5 fixes several security and operational bugs and also adds several new features.
Details
Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux (RHEL) instances. Security Fix(es): * Django: Potential bypass of validation when uploading multiple files using a single form field (CVE-2023-31047) * sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service) (CVE-2023-30608) This RHUI update fixes the following bugs: * Previously, the `rhui-manager` command used the `logname` command to obtain the login name. However, when `rhui-manager` is run using the `rhui-repo-sync` cron job, a login name is not defined. Consequently, emails sent by the cron job contained the error message `logname: no login name`. With this update, `rhui-manager` does not obtain the login name using the `logname` command and the error message is no longer generated. * Previously, when an invalid repository ID was used with the `rhui-manager` command to synchronize or delete a repository, the command failed with following error: `An unexpected error has occurred during the last operation.` Additionally, a traceback was also logged. With this update, the error message has been improved and failure to run no longer logs a traceback. This RHUI update introduces the following enhancements: * With this update, the client configuration RPMs in `rhui-manager` prevent subscription manager from automatically enabling `yum` plugins. As a result, RHUI repository users will no longer see irrelevant messages from subscription manager. (BZ#1957871) * With this update, you can generate machine-readable files with the status of each RHUI repository. To use this feature, run the following command: `rhui-manager --non-interactive status --repo_json <output file>` (BZ#2079391) * With this update, the `rhui-manager` CLI command uses a variety of unique exit codes to indicate different types of errors. For example, if you attempt to add a Red Hat repository that has already been added, the command will exit with a status of 245. However, if you attempt to add a Red Hat repository that does not exist in the RHUI entitlement, the command will exit with a status of 246. For a complete list of codes, see the `/usr/lib/python3.6/site-packages/rhui/common/rhui_exit_codes.py` file.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.5 fixes several security and operational bugs and also adds several new features.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux (RHEL) instances.\n\nSecurity Fix(es):\n* Django: Potential bypass of validation when uploading multiple files using a single form field (CVE-2023-31047)\n\n* sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service) (CVE-2023-30608)\n\nThis RHUI update fixes the following bugs:\n\n* Previously, the `rhui-manager` command used the `logname` command to obtain the login name. However, when `rhui-manager` is run using the `rhui-repo-sync` cron job, a login name is not defined. Consequently, emails sent by the cron job contained the error message `logname: no login name`. With this update, `rhui-manager` does not obtain the login name using the `logname` command and the error message is no longer generated.\n\n* Previously, when an invalid repository ID was used with the `rhui-manager` command to synchronize or delete a repository, the command failed with following error:\n`An unexpected error has occurred during the last operation.`\nAdditionally, a traceback was also logged. \nWith this update, the error message has been improved and failure to run no longer logs a traceback.\n\nThis RHUI update introduces the following enhancements:\n\n* With this update, the client configuration RPMs in `rhui-manager` prevent subscription manager from automatically enabling `yum` plugins. As a result, RHUI repository users will no longer see irrelevant messages from subscription manager. (BZ#1957871)\n\n* With this update, you can generate machine-readable files with the status of each RHUI repository. To use this feature, run the following command: \n`rhui-manager --non-interactive status --repo_json \u003coutput file\u003e`\n (BZ#2079391)\n\n* With this update, the `rhui-manager` CLI command uses a variety of unique exit codes to indicate different types of errors. For example, if you attempt to add a Red Hat repository that has already been added, the command will exit with a status of 245. However, if you attempt to add a Red Hat repository that does not exist in the RHUI entitlement, the command will exit with a status of 246. For a complete list of codes, see the `/usr/lib/python3.6/site-packages/rhui/common/rhui_exit_codes.py` file.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:4591",
        "url": "https://access.redhat.com/errata/RHSA-2023:4591"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "1957871",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1957871"
      },
      {
        "category": "external",
        "summary": "2079391",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2079391"
      },
      {
        "category": "external",
        "summary": "2187903",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2187903"
      },
      {
        "category": "external",
        "summary": "2192565",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2192565"
      },
      {
        "category": "external",
        "summary": "RHUI-217",
        "url": "https://issues.redhat.com/browse/RHUI-217"
      },
      {
        "category": "external",
        "summary": "RHUI-263",
        "url": "https://issues.redhat.com/browse/RHUI-263"
      },
      {
        "category": "external",
        "summary": "RHUI-356",
        "url": "https://issues.redhat.com/browse/RHUI-356"
      },
      {
        "category": "external",
        "summary": "RHUI-395",
        "url": "https://issues.redhat.com/browse/RHUI-395"
      },
      {
        "category": "external",
        "summary": "RHUI-424",
        "url": "https://issues.redhat.com/browse/RHUI-424"
      },
      {
        "category": "external",
        "summary": "RHUI-430",
        "url": "https://issues.redhat.com/browse/RHUI-430"
      },
      {
        "category": "external",
        "summary": "RHUI-75",
        "url": "https://issues.redhat.com/browse/RHUI-75"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_4591.json"
      }
    ],
    "title": "Red Hat Security Advisory: RHUI 4.5.0 release - Security, Bug Fixes, and Enhancements",
    "tracking": {
      "current_release_date": "2024-11-06T03:31:41+00:00",
      "generator": {
        "date": "2024-11-06T03:31:41+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2023:4591",
      "initial_release_date": "2023-08-09T14:20:58+00:00",
      "revision_history": [
        {
          "date": "2023-08-09T14:20:58+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-08-09T14:20:58+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-06T03:31:41+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "RHUI 4 for RHEL 8",
                "product": {
                  "name": "RHUI 4 for RHEL 8",
                  "product_id": "8Base-RHUI-4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhui:4::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Update Infrastructure"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhui-installer-0:4.5.0.1-1.el8ui.src",
                "product": {
                  "name": "rhui-installer-0:4.5.0.1-1.el8ui.src",
                  "product_id": "rhui-installer-0:4.5.0.1-1.el8ui.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rhui-installer@4.5.0.1-1.el8ui?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhui-tools-0:4.5.0.5-1.el8ui.src",
                "product": {
                  "name": "rhui-tools-0:4.5.0.5-1.el8ui.src",
                  "product_id": "rhui-tools-0:4.5.0.5-1.el8ui.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rhui-tools@4.5.0.5-1.el8ui?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-0:3.2.19-1.0.1.el8ui.src",
                "product": {
                  "name": "python-django-0:3.2.19-1.0.1.el8ui.src",
                  "product_id": "python-django-0:3.2.19-1.0.1.el8ui.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django@3.2.19-1.0.1.el8ui?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-sqlparse-0:0.4.4-1.0.1.el8ui.src",
                "product": {
                  "name": "python-sqlparse-0:0.4.4-1.0.1.el8ui.src",
                  "product_id": "python-sqlparse-0:0.4.4-1.0.1.el8ui.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-sqlparse@0.4.4-1.0.1.el8ui?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhui-installer-0:4.5.0.1-1.el8ui.noarch",
                "product": {
                  "name": "rhui-installer-0:4.5.0.1-1.el8ui.noarch",
                  "product_id": "rhui-installer-0:4.5.0.1-1.el8ui.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rhui-installer@4.5.0.1-1.el8ui?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhui-tools-0:4.5.0.5-1.el8ui.noarch",
                "product": {
                  "name": "rhui-tools-0:4.5.0.5-1.el8ui.noarch",
                  "product_id": "rhui-tools-0:4.5.0.5-1.el8ui.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rhui-tools@4.5.0.5-1.el8ui?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhui-tools-libs-0:4.5.0.5-1.el8ui.noarch",
                "product": {
                  "name": "rhui-tools-libs-0:4.5.0.5-1.el8ui.noarch",
                  "product_id": "rhui-tools-libs-0:4.5.0.5-1.el8ui.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rhui-tools-libs@4.5.0.5-1.el8ui?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python39-django-0:3.2.19-1.0.1.el8ui.noarch",
                "product": {
                  "name": "python39-django-0:3.2.19-1.0.1.el8ui.noarch",
                  "product_id": "python39-django-0:3.2.19-1.0.1.el8ui.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python39-django@3.2.19-1.0.1.el8ui?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python39-sqlparse-0:0.4.4-1.0.1.el8ui.noarch",
                "product": {
                  "name": "python39-sqlparse-0:0.4.4-1.0.1.el8ui.noarch",
                  "product_id": "python39-sqlparse-0:0.4.4-1.0.1.el8ui.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python39-sqlparse@0.4.4-1.0.1.el8ui?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-0:3.2.19-1.0.1.el8ui.src as a component of RHUI 4 for RHEL 8",
          "product_id": "8Base-RHUI-4:python-django-0:3.2.19-1.0.1.el8ui.src"
        },
        "product_reference": "python-django-0:3.2.19-1.0.1.el8ui.src",
        "relates_to_product_reference": "8Base-RHUI-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-sqlparse-0:0.4.4-1.0.1.el8ui.src as a component of RHUI 4 for RHEL 8",
          "product_id": "8Base-RHUI-4:python-sqlparse-0:0.4.4-1.0.1.el8ui.src"
        },
        "product_reference": "python-sqlparse-0:0.4.4-1.0.1.el8ui.src",
        "relates_to_product_reference": "8Base-RHUI-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-django-0:3.2.19-1.0.1.el8ui.noarch as a component of RHUI 4 for RHEL 8",
          "product_id": "8Base-RHUI-4:python39-django-0:3.2.19-1.0.1.el8ui.noarch"
        },
        "product_reference": "python39-django-0:3.2.19-1.0.1.el8ui.noarch",
        "relates_to_product_reference": "8Base-RHUI-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-sqlparse-0:0.4.4-1.0.1.el8ui.noarch as a component of RHUI 4 for RHEL 8",
          "product_id": "8Base-RHUI-4:python39-sqlparse-0:0.4.4-1.0.1.el8ui.noarch"
        },
        "product_reference": "python39-sqlparse-0:0.4.4-1.0.1.el8ui.noarch",
        "relates_to_product_reference": "8Base-RHUI-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhui-installer-0:4.5.0.1-1.el8ui.noarch as a component of RHUI 4 for RHEL 8",
          "product_id": "8Base-RHUI-4:rhui-installer-0:4.5.0.1-1.el8ui.noarch"
        },
        "product_reference": "rhui-installer-0:4.5.0.1-1.el8ui.noarch",
        "relates_to_product_reference": "8Base-RHUI-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhui-installer-0:4.5.0.1-1.el8ui.src as a component of RHUI 4 for RHEL 8",
          "product_id": "8Base-RHUI-4:rhui-installer-0:4.5.0.1-1.el8ui.src"
        },
        "product_reference": "rhui-installer-0:4.5.0.1-1.el8ui.src",
        "relates_to_product_reference": "8Base-RHUI-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhui-tools-0:4.5.0.5-1.el8ui.noarch as a component of RHUI 4 for RHEL 8",
          "product_id": "8Base-RHUI-4:rhui-tools-0:4.5.0.5-1.el8ui.noarch"
        },
        "product_reference": "rhui-tools-0:4.5.0.5-1.el8ui.noarch",
        "relates_to_product_reference": "8Base-RHUI-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhui-tools-0:4.5.0.5-1.el8ui.src as a component of RHUI 4 for RHEL 8",
          "product_id": "8Base-RHUI-4:rhui-tools-0:4.5.0.5-1.el8ui.src"
        },
        "product_reference": "rhui-tools-0:4.5.0.5-1.el8ui.src",
        "relates_to_product_reference": "8Base-RHUI-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhui-tools-libs-0:4.5.0.5-1.el8ui.noarch as a component of RHUI 4 for RHEL 8",
          "product_id": "8Base-RHUI-4:rhui-tools-libs-0:4.5.0.5-1.el8ui.noarch"
        },
        "product_reference": "rhui-tools-libs-0:4.5.0.5-1.el8ui.noarch",
        "relates_to_product_reference": "8Base-RHUI-4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-30608",
      "cwe": {
        "id": "CWE-1333",
        "name": "Inefficient Regular Expression Complexity"
      },
      "discovery_date": "2023-04-19T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHUI-4:python-django-0:3.2.19-1.0.1.el8ui.src",
            "8Base-RHUI-4:python39-django-0:3.2.19-1.0.1.el8ui.noarch",
            "8Base-RHUI-4:rhui-installer-0:4.5.0.1-1.el8ui.noarch",
            "8Base-RHUI-4:rhui-installer-0:4.5.0.1-1.el8ui.src",
            "8Base-RHUI-4:rhui-tools-0:4.5.0.5-1.el8ui.noarch",
            "8Base-RHUI-4:rhui-tools-0:4.5.0.5-1.el8ui.src",
            "8Base-RHUI-4:rhui-tools-libs-0:4.5.0.5-1.el8ui.noarch"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2187903"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in sqlparse. The SQL parser contains a regular expression vulnerable to a Regular Expression Denial of Service (ReDoS). The vulnerability may lead to a denial of service (DoS).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHUI-4:python-sqlparse-0:0.4.4-1.0.1.el8ui.src",
          "8Base-RHUI-4:python39-sqlparse-0:0.4.4-1.0.1.el8ui.noarch"
        ],
        "known_not_affected": [
          "8Base-RHUI-4:python-django-0:3.2.19-1.0.1.el8ui.src",
          "8Base-RHUI-4:python39-django-0:3.2.19-1.0.1.el8ui.noarch",
          "8Base-RHUI-4:rhui-installer-0:4.5.0.1-1.el8ui.noarch",
          "8Base-RHUI-4:rhui-installer-0:4.5.0.1-1.el8ui.src",
          "8Base-RHUI-4:rhui-tools-0:4.5.0.5-1.el8ui.noarch",
          "8Base-RHUI-4:rhui-tools-0:4.5.0.5-1.el8ui.src",
          "8Base-RHUI-4:rhui-tools-libs-0:4.5.0.5-1.el8ui.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-30608"
        },
        {
          "category": "external",
          "summary": "RHBZ#2187903",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2187903"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-30608",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-30608"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-30608",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30608"
        },
        {
          "category": "external",
          "summary": "https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2",
          "url": "https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2"
        }
      ],
      "release_date": "2023-04-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-08-09T14:20:58+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor detailed instructions on how to apply this update, see:\nhttps://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/4/html/migrating_red_hat_update_infrastructure/assembly_upgrading-red-hat-update-infrastructure_migrating-red-hat-update-infrastructure\n\nFor other information, see the product documentation:\nhttps://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/4",
          "product_ids": [
            "8Base-RHUI-4:python-sqlparse-0:0.4.4-1.0.1.el8ui.src",
            "8Base-RHUI-4:python39-sqlparse-0:0.4.4-1.0.1.el8ui.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:4591"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHUI-4:python-sqlparse-0:0.4.4-1.0.1.el8ui.src",
            "8Base-RHUI-4:python39-sqlparse-0:0.4.4-1.0.1.el8ui.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)"
    },
    {
      "cve": "CVE-2023-31047",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2023-04-26T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHUI-4:python-sqlparse-0:0.4.4-1.0.1.el8ui.src",
            "8Base-RHUI-4:python39-sqlparse-0:0.4.4-1.0.1.el8ui.noarch",
            "8Base-RHUI-4:rhui-installer-0:4.5.0.1-1.el8ui.noarch",
            "8Base-RHUI-4:rhui-installer-0:4.5.0.1-1.el8ui.src",
            "8Base-RHUI-4:rhui-tools-0:4.5.0.5-1.el8ui.noarch",
            "8Base-RHUI-4:rhui-tools-0:4.5.0.5-1.el8ui.src",
            "8Base-RHUI-4:rhui-tools-libs-0:4.5.0.5-1.el8ui.noarch"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2192565"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A bypass of validation flaw was found in python-django. When uploading multiple files using one form field, an attacker could upload multiple files without validation due to the server only validating the last file uploaded.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-django: Potential bypass of validation when uploading multiple files using one form field",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Satellite and Red Hat Update Infrastructure individual impact ratings have been set to Low since initial privileges are required in order to access the server and the vulnerable functionality.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHUI-4:python-django-0:3.2.19-1.0.1.el8ui.src",
          "8Base-RHUI-4:python39-django-0:3.2.19-1.0.1.el8ui.noarch"
        ],
        "known_not_affected": [
          "8Base-RHUI-4:python-sqlparse-0:0.4.4-1.0.1.el8ui.src",
          "8Base-RHUI-4:python39-sqlparse-0:0.4.4-1.0.1.el8ui.noarch",
          "8Base-RHUI-4:rhui-installer-0:4.5.0.1-1.el8ui.noarch",
          "8Base-RHUI-4:rhui-installer-0:4.5.0.1-1.el8ui.src",
          "8Base-RHUI-4:rhui-tools-0:4.5.0.5-1.el8ui.noarch",
          "8Base-RHUI-4:rhui-tools-0:4.5.0.5-1.el8ui.src",
          "8Base-RHUI-4:rhui-tools-libs-0:4.5.0.5-1.el8ui.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-31047"
        },
        {
          "category": "external",
          "summary": "RHBZ#2192565",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2192565"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-31047",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-31047"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-31047",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31047"
        },
        {
          "category": "external",
          "summary": "https://www.djangoproject.com/weblog/2023/may/03/security-releases/",
          "url": "https://www.djangoproject.com/weblog/2023/may/03/security-releases/"
        }
      ],
      "release_date": "2023-05-03T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-08-09T14:20:58+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor detailed instructions on how to apply this update, see:\nhttps://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/4/html/migrating_red_hat_update_infrastructure/assembly_upgrading-red-hat-update-infrastructure_migrating-red-hat-update-infrastructure\n\nFor other information, see the product documentation:\nhttps://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/4",
          "product_ids": [
            "8Base-RHUI-4:python-django-0:3.2.19-1.0.1.el8ui.src",
            "8Base-RHUI-4:python39-django-0:3.2.19-1.0.1.el8ui.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:4591"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "8Base-RHUI-4:python-django-0:3.2.19-1.0.1.el8ui.src",
            "8Base-RHUI-4:python39-django-0:3.2.19-1.0.1.el8ui.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "python-django: Potential bypass of validation when uploading multiple files using one form field"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.