Python/django/3.0

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Repo Link: https://pypi.org/project/django
License: BSD

7 Security Vulnerabilities

XSS in Django

Published date: 2020-06-05T16:24:28Z

CVE: CVE-2020-13596

Links:

An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.

Affected versions: ["3.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9"]

Secure versions: [3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]

Recommendation: Update to version 5.1.3.

SQL injection in Django

Published date: 2020-06-05T14:52:07Z

CVE: CVE-2020-9402

Links:

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

Affected versions: ["2.2", "2.2.1", "2.2.10", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "1.11", "1.11.1", "1.11.10", "1.11.11", "1.11.12", "1.11.13", "1.11.14", "1.11.15", "1.11.16", "1.11.17", "1.11.18", "1.11.2", "1.11.20", "1.11.21", "1.11.22", "1.11.23", "1.11.24", "1.11.25", "1.11.26", "1.11.27", "1.11.28", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.11.8", "1.11.9", "3.0", "3.0.1", "3.0.2", "3.0.3"]

Recommendation: Update to version 5.1.3.

Django Incorrect Default Permissions

Published date: 2021-03-18T20:30:01Z

CVE: CVE-2020-24584

Links:

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.

Affected versions: ["3.1", "3.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9"]

Recommendation: Update to version 5.1.3.

Django Directory Traversal via archive.extract

Published date: 2021-03-18T20:29:49Z

CVE: CVE-2021-3281

Links:

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by startapp --template and startproject --template) allows directory traversal via an archive with absolute paths or relative paths with dot segments.

Affected versions: ["3.0", "3.0.1", "3.0.10", "3.0.11", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.1", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9"]

Recommendation: Update to version 5.1.3.

Django Incorrect Default Permissions

Published date: 2021-03-18T20:30:13Z

CVE: CVE-2020-24583

Links:

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILEUPLOADDIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.

Recommendation: Update to version 5.1.3.

Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks

Published date: 2021-06-10T17:21:12Z

CVE: CVE-2021-33571

Links:

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validateipv4address, and validateipv46address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validateipv4address and validateipv46address are unaffected with Python 3.9.5+..) .

Affected versions: ["3.2", "3.2.1", "3.2.2", "3.2.3", "3.0", "3.0.1", "3.0.10", "3.0.11", "3.0.12", "3.0.13", "3.0.14", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.1", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "3.1.6", "3.1.7", "3.1.8", "3.1a1", "3.1b1", "3.1rc1", "3.1.9", "3.1.10", "3.1.11", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2.21", "2.2.22", "2.2.23"]

Recommendation: Update to version 5.1.3.

Data leakage via cache key collision in Django

Published date: 2020-06-05T16:20:44Z

CVE: CVE-2020-13254

Links:

An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.

Affected versions: ["3.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "2.0", "2.0.1", "2.0.10", "2.0.12", "2.0.13", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.1", "2.1.1", "2.1.10", "2.1.11", "2.1.12", "2.1.13", "2.1.14", "2.1.15", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.7", "2.1.8", "2.1.9", "2.1a1", "2.1b1", "2.1rc1", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2a1", "2.2b1", "2.2rc1"]

Recommendation: Update to version 5.1.3.

373 Other Versions

Version	License	Security	Released
5.1.3	BSD-3-Clause AND BSD
5.1.2	BSD-3-Clause AND BSD
5.1.1	BSD-3-Clause AND BSD
5.1	BSD-3-Clause AND BSD
5.0.9	BSD-3-Clause AND BSD
5.0.8	BSD-3-Clause AND BSD
5.0.7	BSD-3-Clause AND BSD
5.0.6	BSD-3-Clause AND BSD
5.0.5	BSD-3-Clause AND BSD
5.0.4	BSD-3-Clause AND BSD
5.0.3	BSD-3-Clause AND BSD
5.0.2	BSD-3-Clause AND BSD	1
5.0.1	BSD-3-Clause AND BSD	2
5.0	BSD-3-Clause AND BSD	2
4.2.16	BSD-3-Clause AND BSD
4.2.15	BSD-3-Clause AND BSD
4.2.14	BSD-3-Clause AND BSD
4.2.13	BSD-3-Clause AND BSD
4.2.12	BSD-3-Clause AND BSD
4.2.11	BSD-3-Clause AND BSD
4.2.10	BSD-3-Clause AND BSD	1
4.2.9	BSD-3-Clause AND BSD	2
4.2.8	BSD-3-Clause AND BSD	2
4.2.7	BSD-3-Clause AND BSD	2
4.2.6	BSD-3-Clause AND BSD	3
4.2.5	BSD-3-Clause AND BSD	4
4.2.4	BSD-3-Clause AND BSD	5
4.2.3	BSD-3-Clause AND BSD	5
4.2.2	BSD-3-Clause AND BSD	6
4.2.1	BSD-3-Clause AND BSD	6
4.2	BSD-3-Clause AND BSD	6
4.1.13	BSD-3-Clause AND BSD
4.1.12	BSD-3-Clause AND BSD	1
4.1.11	BSD-3-Clause AND BSD	2
4.1.10	BSD-3-Clause AND BSD	3
4.1.9	BSD-3-Clause AND BSD	4
4.1.8	BSD-3-Clause AND BSD	4
4.1.7	BSD-3-Clause AND BSD	4
4.1.6	BSD-3-Clause AND BSD	4
4.1.5	BSD-3-Clause AND BSD	5
4.1.4	BSD-3-Clause AND BSD	5
4.1.3	BSD-3-Clause AND BSD	5
4.1.2	BSD-3-Clause AND BSD	5
4.1.1	BSD-3-Clause AND BSD	6
4.1	BSD-3-Clause AND BSD	6
4.0.10	BSD-3-Clause AND BSD	1
4.0.9	BSD-3-Clause AND BSD	1
4.0.8	BSD-3-Clause AND BSD	2
4.0.7	BSD-3-Clause AND BSD	3
4.0.6	BSD-3-Clause AND BSD	3	2022-07-04 - 07:57	over 2 years
4.0.5	BSD-3-Clause AND BSD	4	2022-06-01 - 12:22	over 2 years
4.0.4	BSD-3-Clause AND BSD	4	2022-04-11 - 07:53	over 2 years
4.0.3	BSD-3-Clause AND BSD	4	2022-03-01 - 08:47	over 2 years
4.0.2	BSD-3-Clause AND BSD	4	2022-02-01 - 07:56	almost 3 years
4.0.1	BSD-3-Clause AND BSD	6	2022-01-04 - 09:53	almost 3 years
4.0	BSD-3-Clause AND BSD	6	2021-12-07 - 09:19	almost 3 years
3.2.25	BSD-3-Clause AND BSD
3.2.24	BSD-3-Clause AND BSD	1
3.2.23	BSD-3-Clause AND BSD	1
3.2.22	BSD-3-Clause AND BSD	2
3.2.21	BSD-3-Clause AND BSD	3
3.2.20	BSD-3-Clause AND BSD	4
3.2.19	BSD-3-Clause AND BSD	5
3.2.18	BSD-3-Clause AND BSD	5
3.2.17	BSD-3-Clause AND BSD	5
3.2.16	BSD-3-Clause AND BSD	6
3.2.15	BSD-3-Clause AND BSD	7
3.2.14	BSD-3-Clause AND BSD	7	2022-07-04 - 07:57	over 2 years
3.2.13	BSD-3-Clause AND BSD	8	2022-04-11 - 07:52	over 2 years
3.2.12	BSD-3-Clause AND BSD	8	2022-02-01 - 07:56	almost 3 years
3.2.11	BSD-3-Clause AND BSD	10	2022-01-04 - 09:53	almost 3 years
3.2.10	BSD-3-Clause AND BSD	10	2021-12-07 - 07:34	almost 3 years
3.2.9	BSD-3-Clause AND BSD	10	2021-11-01 - 09:31	about 3 years
3.2.8	BSD-3-Clause AND BSD	10	2021-10-05 - 07:46	about 3 years
3.2.7	BSD-3-Clause AND BSD	10	2021-09-01 - 05:57	about 3 years
3.2.6	BSD-3-Clause AND BSD	10	2021-08-02 - 06:28	over 3 years
3.2.5	BSD-3-Clause AND BSD	10	2021-07-01 - 07:40	over 3 years
3.2.4	BSD-3-Clause AND BSD	10	2021-06-02 - 08:54	over 3 years
3.2.3	BSD-3-Clause AND BSD	11	2021-05-13 - 07:36	over 3 years
3.2.2	BSD-3-Clause AND BSD	11	2021-05-06 - 07:40	over 3 years
3.2.1	BSD-3-Clause AND BSD	11	2021-05-04 - 08:47	over 3 years
3.2	BSD-3-Clause AND BSD	11	2021-04-06 - 09:33	over 3 years
3.1.14	BSD-3-Clause AND BSD		2021-12-07 - 07:34	almost 3 years
3.1.13	BSD-3-Clause AND BSD		2021-07-01 - 07:39	over 3 years
3.1.12	BSD-3-Clause AND BSD		2021-06-02 - 08:53	over 3 years
3.1.11	BSD-3-Clause AND BSD	1	2021-05-13 - 07:36	over 3 years
3.1.10	BSD-3-Clause AND BSD	1	2021-05-06 - 07:40	over 3 years
3.1.9	BSD-3-Clause AND BSD	1	2021-05-04 - 08:47	over 3 years
3.1.8	BSD-3-Clause AND BSD	1	2021-04-06 - 07:34	over 3 years
3.1.7	BSD-3-Clause AND BSD	1	2021-02-19 - 09:08	over 3 years
3.1.6	BSD-3-Clause AND BSD	1	2021-02-01 - 09:28	almost 4 years
3.1.5	BSD-3-Clause AND BSD	2	2021-01-04 - 07:54	almost 4 years
3.1.4	BSD-3-Clause AND BSD	2	2020-12-01 - 06:03	almost 4 years
3.1.3	BSD-3-Clause AND BSD	2	2020-11-02 - 08:12	about 4 years
3.1.2	BSD-3-Clause AND BSD	2	2020-10-01 - 05:38	about 4 years
3.1.1	BSD-3-Clause AND BSD	2	2020-09-01 - 09:14	about 4 years
3.1	BSD-3-Clause AND BSD	4	2020-08-04 - 08:07	over 4 years
3.0.14	BSD	1	2021-04-06 - 07:34	over 3 years
3.0.13	BSD	1	2021-02-19 - 09:08	over 3 years
3.0.12	BSD	1	2021-02-01 - 09:28	almost 4 years