CVE-2023-31047 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2023-31047 Interim 1 12 2026-03-05T03:43:16Z current 2023-05-19T23:16:05Z 2026-03-05T03:43:16Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2023-31047 In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2023-July/015497.html E-Mail link for SUSE-SU-2023:2839-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings HPE Helion OpenStack 8 Image SLE-Micro Image SLE-Micro-BYOS Image SLE-Micro-BYOS-EC2 Image SLE-Micro-EC2 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 openSUSE Leap 15.5 openSUSE Tumbleweed python-Django python-Django1 python3-Django-2.0.7-150000.1.11.1 python310-Django-4.2.1-1.1 python310-Django4-4.2.14-1.1 python311-Django-4.2.1-1.1 python311-Django4-4.2.14-1.1 python312-Django4-4.2.14-1.1 python312-Django6-6.0-1.1 python313-Django6-6.0-1.1 python39-Django-4.2.1-1.1 regionServiceClientConfigEC2-5.0.0-slfo.1.1_1.1 regionServiceClientConfigEC2-5.0.0-slfo.1.1_1.1 as a component of Image SLE-Micro regionServiceClientConfigEC2-5.0.0-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS regionServiceClientConfigEC2-5.0.0-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS-EC2 regionServiceClientConfigEC2-5.0.0-slfo.1.1_1.1 as a component of Image SLE-Micro-EC2 python3-Django-2.0.7-150000.1.11.1 as a component of openSUSE Leap 15.5 python310-Django-4.2.1-1.1 as a component of openSUSE Tumbleweed python310-Django4-4.2.14-1.1 as a component of openSUSE Tumbleweed python311-Django-4.2.1-1.1 as a component of openSUSE Tumbleweed python311-Django4-4.2.14-1.1 as a component of openSUSE Tumbleweed python312-Django4-4.2.14-1.1 as a component of openSUSE Tumbleweed python312-Django6-6.0-1.1 as a component of openSUSE Tumbleweed python313-Django6-6.0-1.1 as a component of openSUSE Tumbleweed python39-Django-4.2.1-1.1 as a component of openSUSE Tumbleweed python-Django as a component of HPE Helion OpenStack 8 python-Django as a component of SUSE OpenStack Cloud 8 python-Django1 as a component of SUSE OpenStack Cloud 9 python-Django as a component of SUSE OpenStack Cloud Crowbar 8 python-Django1 as a component of SUSE OpenStack Cloud Crowbar 9 In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. CVE-2023-31047 Image SLE-Micro:regionServiceClientConfigEC2-5.0.0-slfo.1.1_1.1 Image SLE-Micro-BYOS:regionServiceClientConfigEC2-5.0.0-slfo.1.1_1.1 Image SLE-Micro-BYOS-EC2:regionServiceClientConfigEC2-5.0.0-slfo.1.1_1.1 Image SLE-Micro-EC2:regionServiceClientConfigEC2-5.0.0-slfo.1.1_1.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP6:python3-Django-2.0.7-150000.1.11.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP7:python3-Django-2.0.7-150000.1.11.1 openSUSE Leap 15.5:python3-Django-2.0.7-150000.1.11.1 openSUSE Tumbleweed:python310-Django-4.2.1-1.1 openSUSE Tumbleweed:python310-Django4-4.2.14-1.1 openSUSE Tumbleweed:python311-Django-4.2.1-1.1 openSUSE Tumbleweed:python311-Django4-4.2.14-1.1 openSUSE Tumbleweed:python312-Django4-4.2.14-1.1 openSUSE Tumbleweed:python312-Django6-6.0-1.1 openSUSE Tumbleweed:python313-Django6-6.0-1.1 openSUSE Tumbleweed:python39-Django-4.2.1-1.1 HPE Helion OpenStack 8:python-Django SUSE OpenStack Cloud 8:python-Django SUSE OpenStack Cloud 9:python-Django1 SUSE OpenStack Cloud Crowbar 8:python-Django SUSE OpenStack Cloud Crowbar 9:python-Django1 moderate 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L