CVE-2023-24580: 
Django vulnerability analysis and mitigation

CVE-2023-24580 is a vulnerability discovered in the Multipart Request Parser component of Django versions 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. The vulnerability was disclosed on February 14, 2023, and affects the file upload functionality in Django's web framework (Django Security, NVD).

The vulnerability occurs when processing multipart forms, where certain inputs (particularly those with an excessive number of parts) could trigger resource exhaustion. This could lead to either too many open files or memory exhaustion. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD). The fix implemented involves limiting the number of file parts that can be parsed through a new setting called DATA_UPLOAD_MAX_NUMBER_FILES (Django Security).

When successfully exploited, this vulnerability can result in a denial-of-service (DoS) condition, affecting the availability of the Django application. The attack requires no user interaction or special privileges, making it particularly concerning for public-facing applications (NetApp Advisory).

The Django team has released patched versions to address this vulnerability: Django 3.2.18, 4.0.10, and 4.1.7. Users are strongly encouraged to upgrade to these versions immediately. The fix introduces a new setting DATA_UPLOAD_MAX_NUMBER_FILES to limit the number of file parts that can be parsed (Django Security).