SCA: security update for wagtail (GHSA-33pv-vcgh-jfg9)

medium Tenable Cloud Security Plugin ID 409253

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a
memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and
documents, files are loaded into memory during upload for additional processing. A user with access to
upload images or documents through the Wagtail admin interface could upload a file so large that it
results in a crash of denial of service. The vulnerability is not exploitable by an ordinary site visitor
without access to the Wagtail admin. It can only be exploited by admin users with permission to upload
images or documents. Image uploads are restricted to 10MB by default, however this validation only happens
on the frontend and on the backend after the vulnerable code. Patched versions have been released as
Wagtail 4.1.4 and Wagtail 4.2.2). Site owners who are unable to upgrade to the new versions are encouraged
to add extra protections outside of Wagtail to limit the size of uploaded files. (CVE-2023-28837)

See Also

https://github.com/advisories/GHSA-33pv-vcgh-jfg9

Plugin Details

Severity: Medium

ID: 409253

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:L/Au:M/C:N/I:N/A:C

CVSS Score Source: CVE-2023-28837

CVSS v3

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.9

Threat Score: 2.1

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/3/2023

Vulnerability Publication Date: 4/3/2023

Reference Information

CVE: CVE-2023-28837