Uncontrolled Resource Consumption
CVE-2023-28837
Summary
Wagtail is an open source content management system built on Django. In versions through 4.1.3, 4.2rc1 through 4.2.1, a memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash or denial of service. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents. Image uploads are restricted to 10MB by default, however, this validation only happens on the front end and on the backend after the vulnerable code. Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- HIGH
- NONE
- HIGH
CWE-400 - Uncontrolled resource consumption
An uncontrolled resource allocation attack (also known as resource exhaustion attack) triggers unauthorized overconsumption of the limited resources in an application, such as memory, file system storage, database connection pool entries, and CPU. This may lead to denial of service for valid users and degradation of the application's functionality as well as that of the host operating system.
References
Advisory Timeline
- Published