Skip to main content

Uncontrolled Resource Consumption

CVE-2023-28837

Severity Medium
Score 4.9/10

Summary

Wagtail is an open source content management system built on Django. In versions through 4.1.3, 4.2rc1 through 4.2.1, a memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash or denial of service. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents. Image uploads are restricted to 10MB by default, however, this validation only happens on the front end and on the backend after the vulnerable code. Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • HIGH
  • NONE
  • HIGH

CWE-400 - Uncontrolled resource consumption

An uncontrolled resource allocation attack (also known as resource exhaustion attack) triggers unauthorized overconsumption of the limited resources in an application, such as memory, file system storage, database connection pool entries, and CPU. This may lead to denial of service for valid users and degradation of the application's functionality as well as that of the host operating system.

Advisory Timeline

  • Published