CVE-2012-3443
medium
CVSS v3
—
CVSS v2
5.0
VIR risk
5.0
Description
The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2012-3443
Vendor advisory: secalert@redhat.com — https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 1.4.1-1 |
| debian | bullseye | fixed | 1.4.1-1 |
| debian | forky | fixed | 1.4.1-1 |
| debian | sid | fixed | 1.4.1-1 |
| debian | trixie | fixed | 1.4.1-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| djangoproject | django | {"endIncluding":"1.3"} | |
| djangoproject | django | 0.95 | |
| djangoproject | django | 0.96 | |
| djangoproject | django | 1.0 | |
| djangoproject | django | 1.0.1 | |
| djangoproject | django | 1.0.2 | |
| djangoproject | django | 1.1 | |
| djangoproject | django | 1.1.2 | |
| djangoproject | django | 1.1.3 | |
| djangoproject | django | 1.1.4 | |
| djangoproject | django | 1.2 | |
| djangoproject | django | 1.2-alpha1 | |
| djangoproject | django | 1.2.2 | |
| djangoproject | django | 1.2.4 | |
| djangoproject | django | 1.2.5 | |
| djangoproject | django | 1.2.6 | |
| djangoproject | django | 1.2.7 | |
| djangoproject | django | 1.3 | |
| djangoproject | django | 1.4 | |
References
- https://nvd.nist.gov/vuln/detail/CVE-2012-3443
- https://github.com/django/django/commit/9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155
- https://github.com/django/django/commit/da33d67181b53fe6cc737ac1220153814a1509f6
- https://github.com/django/django
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2012-3.yaml
- https://www.debian.org/security/2012/dsa-2529
- https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued
- https://www.mandriva.com/security/advisories?name=MDVSA-2012:143
- https://www.openwall.com/lists/oss-security/2012/07/31/1
- https://www.openwall.com/lists/oss-security/2012/07/31/2
- https://www.ubuntu.com/usn/USN-1560-1
- http://www.debian.org/security/2012/dsa-2529
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:143
- http://www.openwall.com/lists/oss-security/2012/07/31/1
- http://www.openwall.com/lists/oss-security/2012/07/31/2
- http://www.ubuntu.com/usn/USN-1560-1
- https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
- https://security-tracker.debian.org/tracker/CVE-2012-3443
CWEs
CWE-20
Verify integrity in audit chain (admin only). AS-IS.