CVE-2023-31047
📋 TL;DR
This vulnerability allows attackers to bypass file upload validation in Django by submitting multiple files in a single form field. Only the last file was validated, enabling malicious files to be uploaded. Affects Django applications using forms.FileField or forms.ImageField with affected versions.
💻 Affected Systems
- Django
📦 What is this software?
Django by Djangoproject
Django by Djangoproject
Django by Djangoproject
Django by Djangoproject
Django by Djangoproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Attackers upload malicious files (webshells, malware) that execute on the server, leading to remote code execution, data theft, or complete system compromise.
Likely Case
Malicious file upload leading to server-side attacks, data exfiltration, or serving malicious content to users.
If Mitigated
If proper file type validation and storage controls exist, impact limited to storage consumption or failed upload attempts.
🎯 Exploit Status
Exploitation requires file upload functionality but no authentication if uploads are publicly accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Django 3.2.19, 4.1.9, or 4.2.1
Vendor Advisory: https://docs.djangoproject.com/en/4.2/releases/security/
Restart Required: Yes
Instructions:
1. Upgrade Django to patched version using pip: pip install Django==3.2.19 (or 4.1.9/4.2.1). 2. Restart Django application server. 3. Test file upload functionality.
🔧 Temporary Workarounds
Custom FileField Validation
allImplement custom validation to check for multiple file uploads in single field
Implement clean() method in forms to validate file count per field
Web Application Firewall Rules
allBlock requests with multiple files in single form field parameter
Configure WAF to detect and block multipart/form-data with duplicate file parameters
🧯 If You Can't Patch
- Implement server-side file type validation and scanning for all uploaded files
- Restrict file upload functionality to authenticated users only and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check Django version: python -m django --version. If version is 3.2.x < 3.2.19, 4.x < 4.1.9, or 4.2.x < 4.2.1, system is vulnerable.Check Version:
python -m django --versionVerify Fix Applied:
After upgrade, verify version shows patched version and test file upload with multiple files in single field - should be rejected.📡 Detection & Monitoring
Log Indicators:
- Multiple file upload attempts in single request
- Large number of file upload failures
- Unusual file types being uploaded
Network Indicators:
- HTTP POST requests with multipart/form-data containing duplicate file parameters
- Unusual upload patterns to file upload endpoints
SIEM Query:
source="django" AND (message="file upload" OR message="validation error") AND (file_count > 1)🔗 References
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/
- https://security.netapp.com/advisory/ntap-20230609-0008/
- https://www.djangoproject.com/weblog/2023/may/03/security-releases/
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/
- https://security.netapp.com/advisory/ntap-20230609-0008/
- https://www.djangoproject.com/weblog/2023/may/03/security-releases/
