VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-rwqv-shhz-aaag

Essentials
Severities (106)
References (20)
Severity details (25)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-rwqv-shhz-aaag
Aliases	BIT-django-2023-46695 CVE-2023-46695 GHSA-qmf9-6jqf-j8fq PYSEC-2023-222
Summary	An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (5)

CWE-770	Allocation of Resources Without Limits or Throttling
CWE-400	Uncontrolled Resource Consumption
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-20	Improper Input Validation

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46695.json
epss	0.00076	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.00110	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.00110	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.00110	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.00110	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.00110	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.00110	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.00110	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.00127	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.00127	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.00127	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.00127	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.00127	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.00127	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.00127	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.01931	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.01931	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.01931	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02655	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02662	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02662	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02662	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02674	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02674	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.02674	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03065	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03589	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03589	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03589	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03589	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03589	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03589	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03589	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03589	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03589	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03589	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03589	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03589	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03881	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03881	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03881	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03881	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03881	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03881	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03881	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03881	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03881	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03881	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03881	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03881	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
epss	0.03881	https://api.first.org/data/v1/epss?cve=CVE-2023-46695
cvssv3.1	7.5	https://docs.djangoproject.com/en/4.2/releases/security
generic_textual	HIGH	https://docs.djangoproject.com/en/4.2/releases/security
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-qmf9-6jqf-j8fq
cvssv3.1	3.7	https://github.com/django/django
generic_textual	MODERATE	https://github.com/django/django
cvssv3.1	7.5	https://github.com/django/django/commit/048a9ebb6ea468426cb4e57c71572cbbd975517f
generic_textual	HIGH	https://github.com/django/django/commit/048a9ebb6ea468426cb4e57c71572cbbd975517f
cvssv3.1	7.5	https://github.com/django/django/commit/4965bfdde2e5a5c883685019e57d123a3368a75e
generic_textual	HIGH	https://github.com/django/django/commit/4965bfdde2e5a5c883685019e57d123a3368a75e
cvssv3.1	7.5	https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b
generic_textual	HIGH	https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b
cvssv3.1	7.5	https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-222.yaml
generic_textual	HIGH	https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-222.yaml
cvssv3.1	3.7	https://groups.google.com/forum/#%21forum/django-announce
generic_textual	MODERATE	https://groups.google.com/forum/#%21forum/django-announce
cvssv3.1	7.5	https://groups.google.com/forum/#!forum/django-announce
generic_textual	HIGH	https://groups.google.com/forum/#!forum/django-announce
cvssv3	7.5	https://nvd.nist.gov/vuln/detail/CVE-2023-46695
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2023-46695
cvssv3.1	7.5	https://security.netapp.com/advisory/ntap-20231214-0001
generic_textual	HIGH	https://security.netapp.com/advisory/ntap-20231214-0001
cvssv3.1	7.5	https://www.djangoproject.com/weblog/2023/nov/01/security-releases
generic_textual	HIGH	https://www.djangoproject.com/weblog/2023/nov/01/security-releases

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46695.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-46695
		https://docs.djangoproject.com/en/4.2/releases/security
		https://docs.djangoproject.com/en/4.2/releases/security/
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/django/django
		https://github.com/django/django/commit/048a9ebb6ea468426cb4e57c71572cbbd975517f
		https://github.com/django/django/commit/4965bfdde2e5a5c883685019e57d123a3368a75e
		https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b
		https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-222.yaml
		https://groups.google.com/forum/#%21forum/django-announce
		https://groups.google.com/forum/#!forum/django-announce
		https://security.netapp.com/advisory/ntap-20231214-0001
		https://security.netapp.com/advisory/ntap-20231214-0001/
		https://www.djangoproject.com/weblog/2023/nov/01/security-releases
		https://www.djangoproject.com/weblog/2023/nov/01/security-releases/
2247097		https://bugzilla.redhat.com/show_bug.cgi?id=2247097
cpe:2.3:a:djangoproject:django::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:djangoproject:django::::::::
CVE-2023-46695		https://nvd.nist.gov/vuln/detail/CVE-2023-46695
GHSA-qmf9-6jqf-j8fq		https://github.com/advisories/GHSA-qmf9-6jqf-j8fq

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46695.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://docs.djangoproject.com/en/4.2/releases/security

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/django/django

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/django/django/commit/048a9ebb6ea468426cb4e57c71572cbbd975517f

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/django/django/commit/4965bfdde2e5a5c883685019e57d123a3368a75e

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-222.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://groups.google.com/forum/#%21forum/django-announce

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://groups.google.com/forum/#!forum/django-announce

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-46695

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-46695

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20231214-0001

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://www.djangoproject.com/weblog/2023/nov/01/security-releases

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.33911
EPSS Score	0.00076
Published At	Nov. 1, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.