Django contains Uncontrolled Resource Consumption via cached header
High severity
GitHub Reviewed
Published
Feb 1, 2023
to the GitHub Advisory Database
•
Updated Apr 28, 2023
Package
Affected versions
>= 3.2a1, < 3.2.17
>= 4.0a1, < 4.0.9
>= 4.1a1, < 4.1.6
Patched versions
3.2.17
4.0.9
4.1.6
Description
Published by the National Vulnerability Database
Feb 1, 2023
Published to the GitHub Advisory Database
Feb 1, 2023
Reviewed
Feb 3, 2023
Last updated
Apr 28, 2023
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
References