Python/django/2.2.8
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
https://pypi.org/project/django
BSD
10 Security Vulnerabilities
XSS in Django
Published date: 2020-06-05T16:24:28Z
CVE: CVE-2020-13596
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2020-13596
- https://github.com/advisories/GHSA-2m34-jcjv-45xf
- https://docs.djangoproject.com/en/3.0/releases/security/
- https://groups.google.com/forum/#!msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ
- https://www.djangoproject.com/weblog/2020/jun/03/security-releases/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
- https://security.netapp.com/advisory/ntap-20200611-0002/
- https://usn.ubuntu.com/4381-1/
- https://usn.ubuntu.com/4381-2/
- https://www.debian.org/security/2020/dsa-4705
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://github.com/django/django/commit/1f2dd37f6fcefdd10ed44cb233b2e62b520afb38
- https://github.com/django/django/commit/6d61860b22875f358fac83d903dc629897934815
- https://docs.djangoproject.com/en/3.0/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ
- https://security.netapp.com/advisory/ntap-20200611-0002
- https://usn.ubuntu.com/4381-1
- https://usn.ubuntu.com/4381-2
- https://www.djangoproject.com/weblog/2020/jun/03/security-releases
An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
Affected versions:
["3.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9"]
Secure versions:
[3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation:
Update to version 5.1.3.
SQL injection in Django
Published date: 2020-06-05T14:52:07Z
CVE: CVE-2020-9402
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2020-9402
- https://github.com/advisories/GHSA-3gh2-xw74-jmcw
- https://docs.djangoproject.com/en/3.0/releases/security/
- https://groups.google.com/forum/#!topic/django-announce/fLUh_pOaKrY
- https://usn.ubuntu.com/4296-1/
- https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
- https://security.gentoo.org/glsa/202004-17
- https://security.netapp.com/advisory/ntap-20200327-0004/
- https://www.debian.org/security/2020/dsa-4705
- https://lists.debian.org/debian-lts-announce/2022/05/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY/
- https://github.com/django/django/commit/6695d29b1c1ce979725816295a26ecc64ae0e927
- https://docs.djangoproject.com/en/3.0/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY
- https://security.netapp.com/advisory/ntap-20200327-0004
- https://usn.ubuntu.com/4296-1
- https://www.djangoproject.com/weblog/2020/mar/04/security-releases
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
Affected versions:
["2.2", "2.2.1", "2.2.10", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "1.11", "1.11.1", "1.11.10", "1.11.11", "1.11.12", "1.11.13", "1.11.14", "1.11.15", "1.11.16", "1.11.17", "1.11.18", "1.11.2", "1.11.20", "1.11.21", "1.11.22", "1.11.23", "1.11.24", "1.11.25", "1.11.26", "1.11.27", "1.11.28", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.11.8", "1.11.9", "3.0", "3.0.1", "3.0.2", "3.0.3"]
Secure versions:
[3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation:
Update to version 5.1.3.
Path Traversal in Django
Published date: 2021-06-10T17:21:00Z
CVE: CVE-2021-33203
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-33203
- https://github.com/advisories/GHSA-68w8-qjq3-2gfm
- https://docs.djangoproject.com/en/3.2/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
- https://security.netapp.com/advisory/ntap-20210727-0004/
- https://github.com/django/django/commit/053cc9534d174dc89daba36724ed2dcb36755b90
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
- https://github.com/django/django/commit/20c67a0693c4ede2b09af02574823485e82e4c8f
- https://github.com/django/django/commit/dfaba12cda060b8b292ae1d271b44bf810b1c5b9
- https://docs.djangoproject.com/en/3.2/releases/security
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-98.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
- https://security.netapp.com/advisory/ntap-20210727-0004
- https://www.djangoproject.com/weblog/2021/jun/02/security-releases
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.
Affected versions:
["1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.10", "1.10.1", "1.10.2", "1.10.3", "1.10.4", "1.10.5", "1.10.6", "1.10.7", "1.10.8", "1.10a1", "1.10b1", "1.10rc1", "1.11", "1.11.1", "1.11.10", "1.11.11", "1.11.12", "1.11.13", "1.11.14", "1.11.15", "1.11.16", "1.11.17", "1.11.18", "1.11.2", "1.11.20", "1.11.21", "1.11.22", "1.11.23", "1.11.24", "1.11.25", "1.11.26", "1.11.27", "1.11.28", "1.11.29", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.11.8", "1.11.9", "1.11a1", "1.11b1", "1.11rc1", "1.2", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.3", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.3.7", "1.4", "1.4.1", "1.4.10", "1.4.11", "1.4.12", "1.4.13", "1.4.14", "1.4.15", "1.4.16", "1.4.17", "1.4.18", "1.4.19", "1.4.2", "1.4.20", "1.4.21", "1.4.22", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.9", "1.5", "1.5.1", "1.5.10", "1.5.11", "1.5.12", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "1.6", "1.6.1", "1.6.10", "1.6.11", "1.6.2", "1.6.3", "1.6.4", "1.6.5", "1.6.6", "1.6.7", "1.6.8", "1.6.9", "1.7", "1.7.1", "1.7.10", "1.7.11", "1.7.2", "1.7.3", "1.7.4", "1.7.5", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8", "1.8.1", "1.8.10", "1.8.11", "1.8.12", "1.8.13", "1.8.14", "1.8.15", "1.8.16", "1.8.17", "1.8.18", "1.8.19", "1.8.2", "1.8.3", "1.8.4", "1.8.5", "1.8.6", "1.8.7", "1.8.8", "1.8.9", "1.8a1", "1.8b1", "1.8b2", "1.8c1", "1.9", "1.9.1", "1.9.10", "1.9.11", "1.9.12", "1.9.13", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.9.8", "1.9.9", "1.9a1", "1.9b1", "1.9rc1", "1.9rc2", "2.0", "2.0.1", "2.0.10", "2.0.12", "2.0.13", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.0a1", "2.0b1", "2.0rc1", "2.1", "2.1.1", "2.1.10", "2.1.11", "2.1.12", "2.1.13", "2.1.14", "2.1.15", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.7", "2.1.8", "2.1.9", "2.1a1", "2.1b1", "2.1rc1", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2a1", "2.2b1", "2.2rc1", "2.2.21", "2.2.22", "2.2.23"]
Secure versions:
[3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation:
Update to version 5.1.3.
Infinite Loop in Django
Published date: 2022-02-04T00:00:26Z
CVE: CVE-2022-23833
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2022-23833
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
- https://github.com/advisories/GHSA-6cw3-g6wv-c2xv
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
- https://security.netapp.com/advisory/ntap-20220221-0003/
- https://www.debian.org/security/2022/dsa-5254
- https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a
- https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
Affected versions:
["4.0", "4.0.1", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2.21", "2.2.22", "2.2.23", "2.2.24", "2.2.25", "2.2.26"]
Secure versions:
[3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation:
Update to version 5.1.3.
Cross-site Scripting in Django
Published date: 2022-02-04T00:00:33Z
CVE: CVE-2022-22818
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2022-22818
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
- https://github.com/advisories/GHSA-95rw-fx8r-36v6
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
- https://security.netapp.com/advisory/ntap-20220221-0003/
- https://www.debian.org/security/2022/dsa-5254
- https://github.com/django/django/commit/01422046065d2b51f8f613409cad2c81b39487e5
- https://github.com/django/django/commit/1a1e8278c46418bde24c86a65443b0674bae65e2
- https://github.com/django/django/commit/c27a7eb9f40b64990398978152e62b6ff839c2e6
- https://docs.djangoproject.com/en/4.0/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
- https://security.netapp.com/advisory/ntap-20220221-0003
- https://www.djangoproject.com/weblog/2022/feb/01/security-releases
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-19.yaml
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
Affected versions:
["4.0", "4.0.1", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2.21", "2.2.22", "2.2.23", "2.2.24", "2.2.25", "2.2.26"]
Secure versions:
[3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation:
Update to version 5.1.3.
Django Incorrect Default Permissions
Published date: 2021-03-18T20:30:01Z
CVE: CVE-2020-24584
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2020-24584
- https://github.com/advisories/GHSA-fr28-569j-53c4
- https://github.com/django/django/commit/1853724acaf17ed7414d54c7d2b5563a25025a71
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#!topic/django-announce/Gdqn58RqIDM
- https://groups.google.com/forum/#!topic/django-announce/zFCMdgUnutU
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/
- https://security.netapp.com/advisory/ntap-20200918-0004/
- https://usn.ubuntu.com/4479-1/
- https://www.djangoproject.com/weblog/2020/sep/01/security-releases/
- https://www.openwall.com/lists/oss-security/2020/09/01/2
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://github.com/django/django/commit/2b099caa5923afa8cfb5f1e8c0d56b6e0e81915b
- https://github.com/django/django/commit/a3aebfdc8153dc230686b6d2454ccd32ed4c9e6f
- https://github.com/django/django/commit/cdb367c92a0ba72ddc0cbd13ff42b0e6df709554
- https://docs.djangoproject.com/en/dev/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI
- https://security.netapp.com/advisory/ntap-20200918-0004
- https://usn.ubuntu.com/4479-1
- https://www.djangoproject.com/weblog/2020/sep/01/security-releases
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2020-34.yaml
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.
Affected versions:
["3.1", "3.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9"]
Secure versions:
[3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation:
Update to version 5.1.3.
Django Directory Traversal via archive.extract
Published date: 2021-03-18T20:29:49Z
CVE: CVE-2021-3281
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3281
- https://github.com/advisories/GHSA-fvgf-6h6h-3322
- https://github.com/django/django/commit/05413afa8c18cdb978fcdf470e09f7a12b234a23
- https://docs.djangoproject.com/en/3.1/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/
- https://security.netapp.com/advisory/ntap-20210226-0004/
- https://www.djangoproject.com/weblog/2021/feb/01/security-releases/
- https://docs.djangoproject.com/en/3.1/releases/3.0.12/
- https://github.com/django/django/commit/02e6592835b4559909aa3aaaf67988fef435f624
- https://github.com/django/django/commit/21e7622dec1f8612c85c2fc37fe8efbfd3311e37
- https://github.com/django/django/commit/52e409ed17287e9aabda847b6afe58be2fa9f86a
- https://docs.djangoproject.com/en/3.1/releases/3.0.12
- https://docs.djangoproject.com/en/3.1/releases/security
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-9.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO
- https://security.netapp.com/advisory/ntap-20210226-0004
- https://www.djangoproject.com/weblog/2021/feb/01/security-releases
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by startapp --template
and startproject --template
) allows directory traversal via an archive with absolute paths or relative paths with dot segments.
Affected versions:
["3.0", "3.0.1", "3.0.10", "3.0.11", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.1", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9"]
Secure versions:
[3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation:
Update to version 5.1.3.
Django Incorrect Default Permissions
Published date: 2021-03-18T20:30:13Z
CVE: CVE-2020-24583
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2020-24583
- https://github.com/advisories/GHSA-m6gj-h9gm-gw44
- https://github.com/django/django/commit/8d7271578d7b153435b40fe40236ebec43cbf1b9
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#!topic/django-announce/Gdqn58RqIDM
- https://groups.google.com/forum/#!topic/django-announce/zFCMdgUnutU
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/
- https://security.netapp.com/advisory/ntap-20200918-0004/
- https://usn.ubuntu.com/4479-1/
- https://www.djangoproject.com/weblog/2020/sep/01/security-releases/
- https://www.openwall.com/lists/oss-security/2020/09/01/2
- https://www.oracle.com/security-alerts/cpujan2021.html
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILEUPLOADDIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.
Affected versions:
["3.1", "3.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9"]
Secure versions:
[3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation:
Update to version 5.1.3.
Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks
Published date: 2021-06-10T17:21:12Z
CVE: CVE-2021-33571
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-33571
- https://github.com/advisories/GHSA-p99v-5w3c-jqq9
- https://docs.djangoproject.com/en/3.2/releases/security/
- https://groups.google.com/g/django-announce/c/sPyjSKMi8Eo
- https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
- https://security.netapp.com/advisory/ntap-20210727-0004/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
- https://github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118e
- https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d
- https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validateipv4address, and validateipv46address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validateipv4address and validateipv46address are unaffected with Python 3.9.5+..) .
Affected versions:
["3.2", "3.2.1", "3.2.2", "3.2.3", "3.0", "3.0.1", "3.0.10", "3.0.11", "3.0.12", "3.0.13", "3.0.14", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.1", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "3.1.6", "3.1.7", "3.1.8", "3.1a1", "3.1b1", "3.1rc1", "3.1.9", "3.1.10", "3.1.11", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2.21", "2.2.22", "2.2.23"]
Secure versions:
[3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation:
Update to version 5.1.3.
Data leakage via cache key collision in Django
Published date: 2020-06-05T16:20:44Z
CVE: CVE-2020-13254
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2020-13254
- https://github.com/advisories/GHSA-wpjr-j57x-wxfw
- https://docs.djangoproject.com/en/3.0/releases/security/
- https://groups.google.com/d/msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ
- https://www.djangoproject.com/weblog/2020/jun/03/security-releases/
- https://lists.debian.org/debian-lts-announce/2020/06/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
- https://security.netapp.com/advisory/ntap-20200611-0002/
- https://usn.ubuntu.com/4381-1/
- https://usn.ubuntu.com/4381-2/
- https://www.debian.org/security/2020/dsa-4705
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://github.com/django/django/commit/07e59caa02831c4569bbebb9eb773bdd9cb4b206
- https://github.com/django/django/commit/84b2da5552e100ae3294f564f6c862fef8d0e693
An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
Affected versions:
["3.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "2.0", "2.0.1", "2.0.10", "2.0.12", "2.0.13", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.1", "2.1.1", "2.1.10", "2.1.11", "2.1.12", "2.1.13", "2.1.14", "2.1.15", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.7", "2.1.8", "2.1.9", "2.1a1", "2.1b1", "2.1rc1", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2a1", "2.2b1", "2.2rc1"]
Secure versions:
[3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation:
Update to version 5.1.3.