diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-01-21 07:50:03 +0100 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-02-01 07:54:17 +0100 |
| commit | d16133568ef9c9b42cb7a08bdf9ff3feec2e5468 (patch) | |
| tree | c2ac52bb398b8f63d617155103ddd19413d2ec18 /docs/releases/2.2.27.txt | |
| parent | 1a1e8278c46418bde24c86a65443b0674bae65e2 (diff) | |
[3.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.
Thanks Alan Ryan for the report and initial patch.
Backport of fc18f36c4ab94399366ca2f2007b3692559a6f23 from main.
Diffstat (limited to 'docs/releases/2.2.27.txt')
| -rw-r--r-- | docs/releases/2.2.27.txt | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/docs/releases/2.2.27.txt b/docs/releases/2.2.27.txt index b1712c649c..688a482575 100644 --- a/docs/releases/2.2.27.txt +++ b/docs/releases/2.2.27.txt @@ -15,3 +15,9 @@ posing an XSS attack vector. In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an information when the ``DEBUG`` setting is ``False``, and it ensures all context variables are correctly escaped when the ``DEBUG`` setting is ``True``. + +CVE-2022-23833: Denial-of-service possibility in file uploads +============================================================= + +Passing certain inputs to multipart forms could result in an infinite loop when +parsing files. |