Today is a special day for me, professionally anyway. It's a day I get to tick a fun item off my bucket list, that I didn't think I'd get the chance to.

Today, a CVE was released where I am the discoverer: CVE-2023-28837. I have my first CVE!

#What is a CVE?

A CVE (Common Vulnerabilities and Exposures) is a unique reference for publicly disclosed security flaws. When a software vendor finds a security incident, they're encouraged to apply for a CVE (from a CVE Numbering Authority) to uniquely identify the issue. Having a unique identifier makes tracking issues significantly easier, especially for issues which don't get catchy names like "Heartbleed" and "Meltdown".

#What did you find?

I work for Torchbox, the creators of Wagtail CMS, that I'm using to run this website. Wagtail lets admin users upload images and documents to be added to pages. As part of the upload, these files are loaded into memory for additional processing, but this is done before any checks on file size. Therefore, it's possible for an admin user to load huge files into memory, which can lead to crashes and a denial of service.

If you want to find out more about this specific issue, you can read the advisory I wrote up, and the resulting patches.


After finding this issue, and working with the existing members, I joined Wagtail's security team!


#Why is this special?

For anyone who works in the security industry, it probably isn't. Some people find CVEs all the time. But as someone who doesn't work in security (at least, directly), but has a strong interest and passion for the field, it's a big deal to me. As humans, we tend to focus on "first" as being more important than any others.

This is my first CVE, but hopefully the first of many.

Share this page