{"id":"PYSEC-2023-222","details":"An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.","aliases":["BIT-django-2023-46695","CVE-2023-46695","GHSA-qmf9-6jqf-j8fq"],"modified":"2024-03-06T12:27:52.790620Z","published":"2023-11-02T06:15:00Z","references":[{"type":"WEB","url":"https://docs.djangoproject.com/en/4.2/releases/security/"},{"type":"WEB","url":"https://groups.google.com/forum/#!forum/django-announce"},{"type":"ARTICLE","url":"https://www.djangoproject.com/weblog/2023/nov/01/security-releases/"}],"affected":[{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.2"},{"fixed":"3.2.23"},{"introduced":"4.1"},{"fixed":"4.1.13"},{"introduced":"4.2"},{"fixed":"4.2.7"}]}],"versions":["3.2","3.2.1","3.2.10","3.2.11","3.2.12","3.2.13","3.2.14","3.2.15","3.2.16","3.2.17","3.2.18","3.2.19","3.2.2","3.2.20","3.2.21","3.2.22","3.2.3","3.2.4","3.2.5","3.2.6","3.2.7","3.2.8","3.2.9","4.1","4.1.1","4.1.10","4.1.11","4.1.12","4.1.2","4.1.3","4.1.4","4.1.5","4.1.6","4.1.7","4.1.8","4.1.9","4.2","4.2.1","4.2.2","4.2.3","4.2.4","4.2.5","4.2.6"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2023-222.yaml"}}],"schema_version":"1.7.3"}