My First CVE

2 minutes

Today is a special day for me, professionally anyway. It's a day I get to tick a fun item off my bucket list, that I didn't think I'd get the chance to.

Today, a CVE was released where I am the discoverer: CVE-2023-28837. I have my first CVE!

#What is a CVE?

A CVE (Common Vulnerabilities and Exposures) is a unique reference for publicly disclosed security flaws. When a software vendor finds a security incident, they're encouraged to apply for a CVE (from a CVE Numbering Authority) to uniquely identify the issue. Having a unique identifier makes tracking issues significantly easier, especially for issues which don't get catchy names like "Heartbleed" and "Meltdown".

#What did you find?

I work for Torchbox, the creators of Wagtail CMS, that I'm using to run this website. Wagtail lets admin users upload images and documents to be added to pages. As part of the upload, these files are loaded into memory for additional processing, but this is done before any checks on file size. Therefore, it's possible for an admin user to load huge files into memory, which can lead to crashes and a denial of service.

If you want to find out more about this specific issue, you can read the advisory I wrote up, and the resulting patches.


After finding this issue, and working with the existing members, I joined Wagtail's security team!


#Why is this special?

For anyone who works in the security industry, it probably isn't. Some people find CVEs all the time. But as someone who doesn't work in security (at least, directly), but has a strong interest and passion for the field, it's a big deal to me. As humans, we tend to focus on "first" as being more important than any others.

This is my first CVE, but hopefully the first of many.

Share this page

Similar content

View all →

My first arch install

4 minutes

I’ve been an arch user for many years, and a linux user for even longer, but I’ve never installed arch from scratch. I was an Antergos user for many years, but after its demise, I needed an alternative. In a previous post, I spoke of attempting to install vanilla arch…


7 minutes

Yesterday, an email was sent to django-announce, informing of an upcoming security update, labelled “high” severity. Previous notifications like this have been one week before the actual disclosure; This email, just 12 hours. The updates were scheduled to be released 12:00 UTC the next day (today). Already, not the best…


GUIDs - How I messed up my RSS feed

4 minutes

If you're reading this post through an RSS aggregator, or were directed here from one, you may have already seen the issue I'm about to describe, and already swore my name. If you didn't, I'd recommend subscribing, for completely unbiased reasons. This is a tale of RSS, and an easily…