Python/django/2.2.16


A high-level Python web framework that encourages rapid development and clean, pragmatic design.

https://pypi.org/project/django
BSD

5 Security Vulnerabilities

Path Traversal in Django

Published date: 2021-06-10T17:21:00Z
CVE: CVE-2021-33203
Links:

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.

Affected versions: ["1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.10", "1.10.1", "1.10.2", "1.10.3", "1.10.4", "1.10.5", "1.10.6", "1.10.7", "1.10.8", "1.10a1", "1.10b1", "1.10rc1", "1.11", "1.11.1", "1.11.10", "1.11.11", "1.11.12", "1.11.13", "1.11.14", "1.11.15", "1.11.16", "1.11.17", "1.11.18", "1.11.2", "1.11.20", "1.11.21", "1.11.22", "1.11.23", "1.11.24", "1.11.25", "1.11.26", "1.11.27", "1.11.28", "1.11.29", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.11.8", "1.11.9", "1.11a1", "1.11b1", "1.11rc1", "1.2", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.3", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.3.7", "1.4", "1.4.1", "1.4.10", "1.4.11", "1.4.12", "1.4.13", "1.4.14", "1.4.15", "1.4.16", "1.4.17", "1.4.18", "1.4.19", "1.4.2", "1.4.20", "1.4.21", "1.4.22", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.9", "1.5", "1.5.1", "1.5.10", "1.5.11", "1.5.12", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "1.6", "1.6.1", "1.6.10", "1.6.11", "1.6.2", "1.6.3", "1.6.4", "1.6.5", "1.6.6", "1.6.7", "1.6.8", "1.6.9", "1.7", "1.7.1", "1.7.10", "1.7.11", "1.7.2", "1.7.3", "1.7.4", "1.7.5", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8", "1.8.1", "1.8.10", "1.8.11", "1.8.12", "1.8.13", "1.8.14", "1.8.15", "1.8.16", "1.8.17", "1.8.18", "1.8.19", "1.8.2", "1.8.3", "1.8.4", "1.8.5", "1.8.6", "1.8.7", "1.8.8", "1.8.9", "1.8a1", "1.8b1", "1.8b2", "1.8c1", "1.9", "1.9.1", "1.9.10", "1.9.11", "1.9.12", "1.9.13", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.9.8", "1.9.9", "1.9a1", "1.9b1", "1.9rc1", "1.9rc2", "2.0", "2.0.1", "2.0.10", "2.0.12", "2.0.13", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.0a1", "2.0b1", "2.0rc1", "2.1", "2.1.1", "2.1.10", "2.1.11", "2.1.12", "2.1.13", "2.1.14", "2.1.15", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.7", "2.1.8", "2.1.9", "2.1a1", "2.1b1", "2.1rc1", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2a1", "2.2b1", "2.2rc1", "2.2.21", "2.2.22", "2.2.23"]
Secure versions: [3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation: Update to version 5.1.3.

Infinite Loop in Django

Published date: 2022-02-04T00:00:26Z
CVE: CVE-2022-23833
Links:

An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

Affected versions: ["4.0", "4.0.1", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2.21", "2.2.22", "2.2.23", "2.2.24", "2.2.25", "2.2.26"]
Secure versions: [3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation: Update to version 5.1.3.

Cross-site Scripting in Django

Published date: 2022-02-04T00:00:33Z
CVE: CVE-2022-22818
Links:

The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.

Affected versions: ["4.0", "4.0.1", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2.21", "2.2.22", "2.2.23", "2.2.24", "2.2.25", "2.2.26"]
Secure versions: [3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation: Update to version 5.1.3.

Django Directory Traversal via archive.extract

Published date: 2021-03-18T20:29:49Z
CVE: CVE-2021-3281
Links:

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by startapp --template and startproject --template) allows directory traversal via an archive with absolute paths or relative paths with dot segments.

Affected versions: ["3.0", "3.0.1", "3.0.10", "3.0.11", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.1", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9"]
Secure versions: [3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation: Update to version 5.1.3.

Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks

Published date: 2021-06-10T17:21:12Z
CVE: CVE-2021-33571
Links:

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validateipv4address, and validateipv46address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validateipv4address and validateipv46address are unaffected with Python 3.9.5+..) .

Affected versions: ["3.2", "3.2.1", "3.2.2", "3.2.3", "3.0", "3.0.1", "3.0.10", "3.0.11", "3.0.12", "3.0.13", "3.0.14", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.1", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "3.1.6", "3.1.7", "3.1.8", "3.1a1", "3.1b1", "3.1rc1", "3.1.9", "3.1.10", "3.1.11", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2.21", "2.2.22", "2.2.23"]
Secure versions: [3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation: Update to version 5.1.3.

373 Other Versions

Version License Security Released
1.10.6 BSD 8 2017-03-01 - 13:37 over 7 years
1.10.5 BSD 8 2017-01-04 - 19:22 almost 8 years
1.10.4 BSD 8 2016-12-01 - 23:46 almost 8 years
1.10.3 BSD 8 2016-11-01 - 13:56 about 8 years
1.10.2 BSD 10 2016-10-01 - 20:05 about 8 years
1.10.1 BSD 10 2016-09-01 - 23:17 about 8 years
1.10 BSD 10 2016-08-01 - 18:32 over 8 years
1.9.13 BSD 5 2017-04-04 - 14:14 over 7 years
1.9.12 BSD 7 2016-12-01 - 23:16 almost 8 years
1.9.11 BSD 7 2016-11-01 - 14:02 about 8 years
1.9.10 BSD 9 2016-09-26 - 18:32 about 8 years
1.9.9 BSD 10 2016-08-01 - 18:10 over 8 years
1.9.8 BSD 10 2016-07-18 - 18:19 over 8 years
1.9.7 BSD 11 2016-06-04 - 23:43 over 8 years
1.9.6 BSD 11 2016-05-02 - 22:33 over 8 years
1.9.5 BSD 11 2016-04-01 - 17:47 over 8 years
1.9.4 BSD 11 2016-03-05 - 14:31 over 8 years
1.9.3 BSD 11 2016-03-01 - 17:00 over 8 years
1.9.2 BSD 12 2016-02-01 - 17:17 almost 9 years
1.9.1 BSD 13 2016-01-02 - 13:50 almost 9 years
1.9 BSD 13 2015-12-01 - 23:55 almost 9 years
1.8.19 BSD 5 2018-03-06 - 14:22 over 6 years
1.8.18 BSD 7 2017-04-04 - 14:07 over 7 years
1.8.17 BSD 9 2016-12-01 - 23:03 almost 8 years
1.8.16 BSD 9 2016-11-01 - 14:09 about 8 years
1.8.15 BSD 11 2016-09-26 - 18:30 about 8 years
1.8.14 BSD 12 2016-07-18 - 18:38 over 8 years
1.8.13 BSD 13 2016-05-02 - 22:49 over 8 years
1.8.12 BSD 13 2016-04-01 - 17:54 over 8 years
1.8.11 BSD 13 2016-03-05 - 18:36 over 8 years
1.8.10 BSD 13 2016-03-01 - 17:10 over 8 years
1.8.9 BSD 15 2016-02-01 - 17:24 almost 9 years
1.8.8 BSD 15 2016-01-02 - 14:28 almost 9 years
1.8.7 BSD 15 2015-11-24 - 17:28 almost 9 years
1.8.6 BSD 15 2015-11-04 - 17:03 about 9 years
1.8.5 BSD 15 2015-10-04 - 00:06 about 9 years
1.8.4 BSD 15 2015-08-18 - 17:06 about 9 years
1.8.3 BSD 16 2015-07-08 - 19:43 over 9 years
1.8.2 BSD 17 2015-05-20 - 18:02 over 9 years
1.8.1 BSD 17 2015-05-01 - 20:36 over 9 years
1.8 BSD 17 2015-04-01 - 20:12 over 9 years
1.7.11 BSD 9 2015-11-24 - 17:19 almost 9 years
1.7.10 BSD 10 2015-08-18 - 17:15 about 9 years
1.7.9 BSD 11 2015-07-08 - 21:33 over 9 years
1.7.8 BSD 11 2015-05-01 - 20:42 over 9 years
1.7.7 BSD 11 2015-03-18 - 23:49 over 9 years
1.7.6 BSD 11 2015-03-09 - 15:30 over 9 years
1.7.5 BSD 12 2015-02-25 - 13:58 over 9 years
1.7.4 BSD 12 2015-01-27 - 17:22 almost 10 years
1.7.3 BSD 12 2015-01-13 - 18:39 almost 10 years
1.7.2 BSD 12 2015-01-03 - 01:37 almost 10 years
1.7.1 BSD 12 2014-10-22 - 16:56 about 10 years
1.7 BSD 12 2014-09-02 - 21:09 about 10 years
1.6.11 BSD 10 2015-03-18 - 23:57 over 9 years
1.6.10 BSD 10 2015-01-13 - 18:48 almost 10 years
1.6.9 BSD 10 2015-01-03 - 01:52 almost 10 years
1.6.8 BSD 10 2014-10-22 - 16:50 about 10 years
1.6.7 BSD 10 2014-09-02 - 20:55 about 10 years
1.6.6 BSD 10 2014-08-20 - 20:17 about 10 years
1.6.5 BSD 11 2014-05-14 - 18:33 over 10 years
1.6.4 BSD 13 2014-04-28 - 20:40 over 10 years
1.6.3 BSD 13 2014-04-21 - 23:12 over 10 years
1.6.2 BSD 13 2014-02-06 - 21:51 almost 11 years
1.6.1 BSD 13 2013-12-12 - 20:04 almost 11 years
1.6 BSD 13 2013-11-06 - 15:01 about 11 years
1.5.12 BSD 10 2015-01-03 - 02:09 almost 10 years
1.5.11 BSD 10 2014-10-22 - 16:45 about 10 years
1.5.10 BSD 10 2014-09-02 - 20:51 about 10 years
1.5.9 BSD 10 2014-08-20 - 20:10 about 10 years
1.5.8 BSD 10 2014-05-14 - 18:35 over 10 years
1.5.7 BSD 12 2014-04-28 - 20:35 over 10 years
1.5.6 BSD 12 2014-04-21 - 22:53 over 10 years
1.5.5 BSD 12 2013-10-25 - 04:32 about 11 years
1.5.4 BSD 12 2013-09-15 - 06:30 about 11 years
1.5.3 BSD 13 2013-09-11 - 01:26 about 11 years
1.5.2 BSD 14 2013-08-13 - 16:54 over 11 years
1.5.1 BSD 16 2013-03-28 - 20:57 over 11 years
1.5 BSD 16 2013-02-26 - 19:30 over 11 years
1.4.22 BSD 10 2015-08-18 - 17:22 about 9 years
1.4.21 BSD 11 2015-07-08 - 19:56 over 9 years
1.4.20 BSD 13 2015-03-19 - 00:03 over 9 years
1.4.19 BSD 13 2015-01-27 - 17:11 almost 10 years
1.4.18 BSD 13 2015-01-13 - 18:54 almost 10 years
1.4.17 BSD 16 2015-01-03 - 02:20 almost 10 years
1.4.16 BSD 16 2014-10-22 - 16:37 about 10 years
1.4.15 BSD 16 2014-09-02 - 20:44 about 10 years
1.4.14 BSD 16 2014-08-20 - 20:01 about 10 years
1.4.13 BSD 19 2014-05-14 - 18:27 over 10 years
1.4.12 BSD 21 2014-04-28 - 20:30 over 10 years
1.4.11 BSD 21 2014-04-21 - 22:40 over 10 years
1.4.10 BSD 23 2013-11-06 - 14:21 about 11 years
1.4.9 BSD 23 2013-10-25 - 04:38 about 11 years
1.4.8 BSD 23 2013-09-15 - 06:22 about 11 years
1.4.7 BSD 24 2013-09-11 - 01:18 about 11 years
1.4.6 BSD 25 2013-08-13 - 16:52 over 11 years
1.4.5 BSD 26 2013-02-20 - 19:54 over 11 years
1.4.4 BSD 26 2013-02-19 - 20:27 over 11 years
1.4.3 BSD 28 2012-12-10 - 21:46 almost 12 years
1.4.2 BSD 28 2012-10-17 - 22:18 about 12 years
1.4.1 BSD 29 2012-07-30 - 22:48 over 12 years