CVE-2023-31047: 
Django vulnerability analysis and mitigation

CVE-2023-31047 affects Django versions 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1. The vulnerability was discovered by Moataz Al-Sharida and nawaik, and disclosed on May 3, 2023. The issue involves a potential validation bypass when uploading multiple files using one form field, where forms.FileField or forms.ImageField only validated the last uploaded file despite documentation suggesting otherwise (Django Security).

The vulnerability stems from a discrepancy between Django's implementation and documentation regarding multiple file uploads. While Django's forms.FileField and forms.ImageField only validated the last uploaded file, the documentation suggested multiple file upload support was available. The issue has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The severity is rated as CRITICAL with a CVSS score of 9.8, indicating the highest level of potential impact (NetApp Advisory).

To address this vulnerability, Django implemented changes where ClearableFileInput and FileInput form widgets now raise ValueError when the multiple HTML attribute is set on them. Users can prevent this exception and maintain the old behavior by setting allow_multiple_selected to True. The fix is available in Django versions 3.2.19, 4.1.9, and 4.2.1 (Django Security).