Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows

Medium
I
Internet Bug Bounty
Submitted None

Team Summary

Official summary from Internet Bug Bounty

CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField was subject to a potential denial of service attack via certain inputs with a very large number of Unicode characters. In order to avoid the vulnerability, invalid values longer than UsernameField.max_length are no longer normalized, since they cannot pass validation anyway. Thanks MProgrammer for the report. This issue has severity "moderate" according to the Django security policy. Full Security Advisory: https://www.djangoproject.com/weblog/2023/nov/01/security-releases/

Actions:
View on HackerOne
Reported by mprogrammer

Vulnerability Details

Technical details and impact analysis

Uncontrolled Resource Consumption
In Django versions before 4.2.7, 4.1.13, and 3.2.23, I sent a POST request to the admin login page using Burp Suite, editing the request to send over 1 million invalid unicode characters to my local web server running Django. (I used: "¾") After submitting, a single request took 4.4 seconds on average. When I sent 20 concurrent requests, then I got 60 second wait times, and 504 gateway timeout errors on my machine. {F2871465} Normal ascii characters don't do this and the page loads instantly. ## Impact Denial of Service anywhere a form contains a UsernameField that checks for errors.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$2540.00

Submitted

Weakness

Uncontrolled Resource Consumption