{"api_version":"1","generated_at":"2026-04-22T19:18:54+00:00","cve":"CVE-2023-31047","urls":{"html":"https://cve.report/CVE-2023-31047","api":"https://cve.report/api/cve/CVE-2023-31047.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-31047","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-31047"},"summary":{"title":"CVE-2023-31047","description":"In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's \"Uploading multiple files\" documentation suggested otherwise.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2023-05-07 02:15:00","updated_at":"2023-11-07 04:14:00"},"problem_types":["CWE-20"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/","name":"FEDORA-2023-0d20d09f2d","refsource":"","tags":[],"title":"[SECURITY] Fedora 38 Update: python-django3-3.2.19-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://groups.google.com/forum/#%21forum/django-announce","name":"https://groups.google.com/forum/#%21forum/django-announce","refsource":"","tags":[],"title":"Redirecting to Google Groups","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.djangoproject.com/weblog/2023/may/03/security-releases/","name":"https://www.djangoproject.com/weblog/2023/may/03/security-releases/","refsource":"CONFIRM","tags":[],"title":"Django security releases issued: 4.2.1, 4.1.9, and 3.2.19 | Weblog | Django","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://groups.google.com/forum/#!forum/django-announce","name":"https://groups.google.com/forum/#!forum/django-announce","refsource":"MISC","tags":[],"title":"Redirecting to Google Groups","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20230609-0008/","name":"https://security.netapp.com/advisory/ntap-20230609-0008/","refsource":"CONFIRM","tags":[],"title":"CVE-2023-31047 Django Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/","name":"FEDORA-2023-8f9d949dbc","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 37 Update: python-django3-3.2.19-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://docs.djangoproject.com/en/4.2/releases/security/","name":"https://docs.djangoproject.com/en/4.2/releases/security/","refsource":"MISC","tags":[],"title":"Archive of security issues | Django documentation | Django","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/","name":"FEDORA-2023-0d20d09f2d","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 38 Update: python-django3-3.2.19-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/","name":"FEDORA-2023-8f9d949dbc","refsource":"","tags":[],"title":"[SECURITY] Fedora 37 Update: python-django3-3.2.19-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-31047","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-31047","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"31047","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"djangoproject","cpe5":"django","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"31047","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"djangoproject","cpe5":"django","cpe6":"4.2","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"31047","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"djangoproject","cpe5":"django","cpe6":"4.2","cpe7":"b1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"31047","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"djangoproject","cpe5":"django","cpe6":"4.2","cpe7":"rc1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"31047","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"38","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-31047","qid":"181774","title":"Debian Security Update for python-django (DLA 3415-1)"},{"cve":"CVE-2023-31047","qid":"182538","title":"Debian Security Update for python-django (CVE-2023-31047)"},{"cve":"CVE-2023-31047","qid":"199318","title":"Ubuntu Security Notification for Django Vulnerability (USN-6054-1)"},{"cve":"CVE-2023-31047","qid":"199508","title":"Ubuntu Security Notification for Django Vulnerability (USN-6054-2)"},{"cve":"CVE-2023-31047","qid":"242347","title":"Red Hat Update for Satellite 6.14 (RHSA-2023:6818)"},{"cve":"CVE-2023-31047","qid":"242363","title":"Red Hat Update for Satellite 6.13.5 (RHSA-2023:5931)"},{"cve":"CVE-2023-31047","qid":"283984","title":"Fedora Security Update for python (FEDORA-2023-8f9d949dbc)"},{"cve":"CVE-2023-31047","qid":"284143","title":"Fedora Security Update for python (FEDORA-2023-0d20d09f2d)"},{"cve":"CVE-2023-31047","qid":"296100","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 58.144.3 Missing (CPUAPR2023)"},{"cve":"CVE-2023-31047","qid":"6000222","title":"Debian Security Update for python-django (DSA 5465-1)"},{"cve":"CVE-2023-31047","qid":"691161","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for django (d55e1b4d-eadc-11ed-9cc0-080027de9982)"},{"cve":"CVE-2023-31047","qid":"961065","title":"Rocky Linux Security Update for Satellite (RLSA-2023:6818)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2023-31047","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's \"Uploading multiple files\" documentation suggested otherwise."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://groups.google.com/forum/#!forum/django-announce","refsource":"MISC","name":"https://groups.google.com/forum/#!forum/django-announce"},{"url":"https://docs.djangoproject.com/en/4.2/releases/security/","refsource":"MISC","name":"https://docs.djangoproject.com/en/4.2/releases/security/"},{"refsource":"CONFIRM","name":"https://www.djangoproject.com/weblog/2023/may/03/security-releases/","url":"https://www.djangoproject.com/weblog/2023/may/03/security-releases/"},{"refsource":"FEDORA","name":"FEDORA-2023-0d20d09f2d","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/"},{"refsource":"FEDORA","name":"FEDORA-2023-8f9d949dbc","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20230609-0008/","url":"https://security.netapp.com/advisory/ntap-20230609-0008/"}]}},"nvd":{"publishedDate":"2023-05-07 02:15:00","lastModifiedDate":"2023-11-07 04:14:00","problem_types":["CWE-20"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:djangoproject:django:4.2:rc1:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:djangoproject:django:4.2:b1:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:djangoproject:django:4.2:-:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0","versionEndExcluding":"4.1.9","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"3.2.19","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}