Python/django/3.0.7
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
https://pypi.org/project/django
BSD
4 Security Vulnerabilities
Django Incorrect Default Permissions
- https://nvd.nist.gov/vuln/detail/CVE-2020-24584
- https://github.com/advisories/GHSA-fr28-569j-53c4
- https://github.com/django/django/commit/1853724acaf17ed7414d54c7d2b5563a25025a71
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#!topic/django-announce/Gdqn58RqIDM
- https://groups.google.com/forum/#!topic/django-announce/zFCMdgUnutU
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/
- https://security.netapp.com/advisory/ntap-20200918-0004/
- https://usn.ubuntu.com/4479-1/
- https://www.djangoproject.com/weblog/2020/sep/01/security-releases/
- https://www.openwall.com/lists/oss-security/2020/09/01/2
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://github.com/django/django/commit/2b099caa5923afa8cfb5f1e8c0d56b6e0e81915b
- https://github.com/django/django/commit/a3aebfdc8153dc230686b6d2454ccd32ed4c9e6f
- https://github.com/django/django/commit/cdb367c92a0ba72ddc0cbd13ff42b0e6df709554
- https://docs.djangoproject.com/en/dev/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI
- https://security.netapp.com/advisory/ntap-20200918-0004
- https://usn.ubuntu.com/4479-1
- https://www.djangoproject.com/weblog/2020/sep/01/security-releases
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2020-34.yaml
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.
Django Directory Traversal via archive.extract
- https://nvd.nist.gov/vuln/detail/CVE-2021-3281
- https://github.com/advisories/GHSA-fvgf-6h6h-3322
- https://github.com/django/django/commit/05413afa8c18cdb978fcdf470e09f7a12b234a23
- https://docs.djangoproject.com/en/3.1/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/
- https://security.netapp.com/advisory/ntap-20210226-0004/
- https://www.djangoproject.com/weblog/2021/feb/01/security-releases/
- https://docs.djangoproject.com/en/3.1/releases/3.0.12/
- https://github.com/django/django/commit/02e6592835b4559909aa3aaaf67988fef435f624
- https://github.com/django/django/commit/21e7622dec1f8612c85c2fc37fe8efbfd3311e37
- https://github.com/django/django/commit/52e409ed17287e9aabda847b6afe58be2fa9f86a
- https://docs.djangoproject.com/en/3.1/releases/3.0.12
- https://docs.djangoproject.com/en/3.1/releases/security
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-9.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO
- https://security.netapp.com/advisory/ntap-20210226-0004
- https://www.djangoproject.com/weblog/2021/feb/01/security-releases
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by startapp --template
and startproject --template
) allows directory traversal via an archive with absolute paths or relative paths with dot segments.
Django Incorrect Default Permissions
- https://nvd.nist.gov/vuln/detail/CVE-2020-24583
- https://github.com/advisories/GHSA-m6gj-h9gm-gw44
- https://github.com/django/django/commit/8d7271578d7b153435b40fe40236ebec43cbf1b9
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#!topic/django-announce/Gdqn58RqIDM
- https://groups.google.com/forum/#!topic/django-announce/zFCMdgUnutU
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/
- https://security.netapp.com/advisory/ntap-20200918-0004/
- https://usn.ubuntu.com/4479-1/
- https://www.djangoproject.com/weblog/2020/sep/01/security-releases/
- https://www.openwall.com/lists/oss-security/2020/09/01/2
- https://www.oracle.com/security-alerts/cpujan2021.html
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILEUPLOADDIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.
Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks
- https://nvd.nist.gov/vuln/detail/CVE-2021-33571
- https://github.com/advisories/GHSA-p99v-5w3c-jqq9
- https://docs.djangoproject.com/en/3.2/releases/security/
- https://groups.google.com/g/django-announce/c/sPyjSKMi8Eo
- https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
- https://security.netapp.com/advisory/ntap-20210727-0004/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
- https://github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118e
- https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d
- https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validateipv4address, and validateipv46address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validateipv4address and validateipv46address are unaffected with Python 3.9.5+..) .