Python/django/1.9rc2
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
https://pypi.org/project/django
BSD
2 Security Vulnerabilities
Path Traversal in Django
Published date: 2021-06-10T17:21:00Z
CVE: CVE-2021-33203
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-33203
- https://github.com/advisories/GHSA-68w8-qjq3-2gfm
- https://docs.djangoproject.com/en/3.2/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
- https://security.netapp.com/advisory/ntap-20210727-0004/
- https://github.com/django/django/commit/053cc9534d174dc89daba36724ed2dcb36755b90
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
- https://github.com/django/django/commit/20c67a0693c4ede2b09af02574823485e82e4c8f
- https://github.com/django/django/commit/dfaba12cda060b8b292ae1d271b44bf810b1c5b9
- https://docs.djangoproject.com/en/3.2/releases/security
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-98.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
- https://security.netapp.com/advisory/ntap-20210727-0004
- https://www.djangoproject.com/weblog/2021/jun/02/security-releases
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.
Affected versions:
["1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.1.3", "1.1.4", "1.10", "1.10.1", "1.10b1", "1.10rc1", "1.11.1", "1.11.12", "1.11.14", "1.11.15", "1.11.18", "1.11.22", "1.11.23", "1.11.24", "1.11.26", "1.11.27", "1.11.3", "1.11.8", "1.11.9", "1.11rc1", "1.2", "1.2.2", "1.2.4", "1.2.5", "1.2.6", "1.3", "1.3.4", "1.3.7", "1.4", "1.4.10", "1.4.12", "1.4.16", "1.4.17", "1.4.19", "1.4.22", "1.4.7", "1.4.8", "1.5.1", "1.5.3", "1.5.5", "1.5.6", "1.5.7", "1.6", "1.6.1", "1.6.10", "1.6.11", "1.6.3", "1.6.4", "1.6.6", "1.7.10", "1.7.11", "1.7.2", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8", "1.8.1", "1.8.10", "1.8.13", "1.8.15", "1.8.16", "1.8.17", "1.8.18", "1.8.2", "1.8.5", "1.8.6", "1.8.9", "1.8a1", "1.8b1", "1.8b2", "1.8c1", "1.9", "1.9.1", "1.9.11", "1.9.8", "1.9.9", "1.9b1", "1.9rc2", "2.0", "2.0.1", "2.0.3", "2.0.4", "2.0.5", "2.0a1", "2.1.1", "2.1.13", "2.1.14", "2.1.15", "2.1.2", "2.1.3", "2.1.4", "2.1.8", "2.1a1", "2.2.12", "2.2.17", "2.2.18", "2.2.9", "1.1", "1.1.1", "1.1.2", "1.10.2", "1.10.3", "1.10.4", "1.10.5", "1.10.6", "1.10.7", "1.10.8", "1.10a1", "1.11", "1.11.10", "1.11.11", "1.11.13", "1.11.16", "1.11.17", "1.11.2", "1.11.20", "1.11.21", "1.11.25", "1.11.28", "1.11.29", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.11a1", "1.11b1", "1.2.1", "1.2.3", "1.2.7", "1.3.1", "1.3.2", "1.3.3", "1.3.5", "1.3.6", "1.4.1", "1.4.11", "1.4.13", "1.4.14", "1.4.15", "1.4.18", "1.4.2", "1.4.20", "1.4.21", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.9", "1.5", "1.5.10", "1.5.11", "1.5.12", "1.5.2", "1.5.4", "1.5.8", "1.5.9", "1.6.2", "1.6.5", "1.6.7", "1.6.8", "1.6.9", "1.7", "1.7.1", "1.7.3", "1.7.4", "1.7.5", "1.8.11", "1.8.12", "1.8.14", "1.8.19", "1.8.3", "1.8.4", "1.8.7", "1.8.8", "1.9.10", "1.9.12", "1.9.13", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.9a1", "1.9rc1", "2.0.10", "2.0.12", "2.0.13", "2.0.2", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.0b1", "2.0rc1", "2.1", "2.1.10", "2.1.11", "2.1.12", "2.1.5", "2.1.7", "2.1.9", "2.1b1", "2.1rc1", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2a1", "2.2b1", "2.2rc1", "2.2.21", "2.2.22", "2.2.23"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
Django Cross-site scripting Vulnerability
Published date: 2022-05-14T02:46:13Z
CVE: CVE-2016-6186
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2016-6186
- https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158
- https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/
- https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
- https://www.exploit-db.com/exploits/40129/
- http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html
- http://rhn.redhat.com/errata/RHSA-2016-1594.html
- http://rhn.redhat.com/errata/RHSA-2016-1595.html
- http://rhn.redhat.com/errata/RHSA-2016-1596.html
- http://seclists.org/fulldisclosure/2016/Jul/53
- http://www.debian.org/security/2016/dsa-3622
- http://www.ubuntu.com/usn/USN-3039-1
- http://www.vulnerability-lab.com/get_content.php?id=1869
- https://web.archive.org/web/20201022155237/http://www.securityfocus.com/archive/1/538947/100/0/threaded
- https://web.archive.org/web/20210123154652/http://www.securityfocus.com/bid/92058
- https://web.archive.org/web/20211204042848/http://www.securitytracker.com/id/1036338
- https://github.com/advisories/GHSA-c8c8-9472-w52h
- https://github.com/django/django/commit/6fa150b2f8b601668083042324c4add534143cb1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW
- https://www.djangoproject.com/weblog/2016/jul/18/security-releases
- https://www.exploit-db.com/exploits/40129
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-2.yaml
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
Affected versions:
["1.10b1", "1.8b1", "1.8b2", "1.9b1", "1.9rc2", "1.10a1", "1.11a1", "1.11b1", "1.9rc1", "1.9", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.1.3", "1.1.4", "1.10rc1", "1.11rc1", "1.2", "1.2.2", "1.2.4", "1.2.5", "1.2.6", "1.3", "1.3.4", "1.3.7", "1.4", "1.4.10", "1.4.12", "1.4.16", "1.4.17", "1.4.19", "1.4.22", "1.4.7", "1.4.8", "1.5.1", "1.5.3", "1.5.5", "1.5.6", "1.5.7", "1.6", "1.6.1", "1.6.10", "1.6.11", "1.6.3", "1.6.4", "1.6.6", "1.7.10", "1.7.11", "1.7.2", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8", "1.8.1", "1.8.10", "1.8.13", "1.8.2", "1.8.5", "1.8.6", "1.8.9", "1.8a1", "1.8c1", "1.1", "1.1.1", "1.1.2", "1.2.1", "1.2.3", "1.2.7", "1.3.1", "1.3.2", "1.3.3", "1.3.5", "1.3.6", "1.4.1", "1.4.11", "1.4.13", "1.4.14", "1.4.15", "1.4.18", "1.4.2", "1.4.20", "1.4.21", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.9", "1.5", "1.5.10", "1.5.11", "1.5.12", "1.5.2", "1.5.4", "1.5.8", "1.5.9", "1.6.2", "1.6.5", "1.6.7", "1.6.8", "1.6.9", "1.7", "1.7.1", "1.7.3", "1.7.4", "1.7.5", "1.8.11", "1.8.12", "1.8.3", "1.8.4", "1.8.7", "1.8.8"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
400 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 1.11.22 | BSD | 8 | 2019-07-01 - 07:19 | about 6 years |
| 1.11.21 | BSD | 9 | 2019-06-03 - 10:10 | about 6 years |
| 1.11.20 | BSD | 10 | 2019-02-11 - 15:10 | over 6 years |
| 1.11.18 | BSD | 11 | 2019-01-04 - 14:10 | over 6 years |
| 1.11.17 | BSD | 12 | 2018-12-03 - 17:02 | over 6 years |
| 1.11.16 | BSD | 12 | 2018-10-01 - 09:22 | over 6 years |
| 1.11.15 | BSD | 12 | 2018-08-01 - 13:45 | almost 7 years |
| 1.11.14 | BSD | 12 | 2018-07-02 - 09:01 | almost 7 years |
| 1.11.13 | BSD | 12 | 2018-05-02 - 01:54 | about 7 years |
| 1.11.12 | BSD | 12 | 2018-04-03 - 02:45 | about 7 years |
| 1.11.11 | BSD | 12 | 2018-03-06 - 14:15 | over 7 years |
| 1.11.10 | BSD | 14 | 2018-02-01 - 14:40 | over 7 years |
| 1.11.9 | BSD | 15 | 2018-01-02 - 01:01 | over 7 years |
| 1.11.8 | BSD | 15 | 2017-12-02 - 14:20 | over 7 years |
| 1.11.7 | BSD | 14 | 2017-11-02 - 01:26 | over 7 years |
| 1.11.6 | BSD | 14 | 2017-10-05 - 18:21 | over 7 years |
| 1.11.5 | BSD | 14 | 2017-09-05 - 15:18 | almost 8 years |
| 1.11.4 | BSD | 15 | 2017-08-01 - 12:24 | almost 8 years |
| 1.11.3 | BSD | 15 | 2017-07-01 - 23:24 | almost 8 years |
| 1.11.2 | BSD | 15 | 2017-06-01 - 16:47 | about 8 years |
| 1.11.1 | BSD | 15 | 2017-05-06 - 13:26 | about 8 years |
| 1.11 | BSD | 15 | 2017-04-04 - 15:59 | about 8 years |
| 1.10.8 | BSD | 5 | 2017-09-05 - 15:31 | almost 8 years |
| 1.10.7 | BSD | 6 | 2017-04-04 - 14:27 | about 8 years |
| 1.10.6 | BSD | 8 | 2017-03-01 - 13:37 | over 8 years |
| 1.10.5 | BSD | 8 | 2017-01-04 - 19:22 | over 8 years |
| 1.10.4 | BSD | 8 | 2016-12-01 - 23:46 | over 8 years |
| 1.10.3 | BSD | 8 | 2016-11-01 - 13:56 | over 8 years |
| 1.10.2 | BSD | 10 | 2016-10-01 - 20:05 | over 8 years |
| 1.10.1 | BSD | 10 | 2016-09-01 - 23:17 | almost 9 years |
| 1.10 | BSD | 10 | 2016-08-01 - 18:32 | almost 9 years |
| 1.9.13 | BSD | 5 | 2017-04-04 - 14:14 | about 8 years |
| 1.9.12 | BSD | 7 | 2016-12-01 - 23:16 | over 8 years |
| 1.9.11 | BSD | 7 | 2016-11-01 - 14:02 | over 8 years |
| 1.9.10 | BSD | 9 | 2016-09-26 - 18:32 | almost 9 years |
| 1.9.9 | BSD | 10 | 2016-08-01 - 18:10 | almost 9 years |
| 1.9.8 | BSD | 10 | 2016-07-18 - 18:19 | almost 9 years |
| 1.9.7 | BSD | 11 | 2016-06-04 - 23:43 | about 9 years |
| 1.9.6 | BSD | 11 | 2016-05-02 - 22:33 | about 9 years |
| 1.9.5 | BSD | 11 | 2016-04-01 - 17:47 | about 9 years |
| 1.9.4 | BSD | 11 | 2016-03-05 - 14:31 | over 9 years |
| 1.9.3 | BSD | 11 | 2016-03-01 - 17:00 | over 9 years |
| 1.9.2 | BSD | 12 | 2016-02-01 - 17:17 | over 9 years |
| 1.9.1 | BSD | 13 | 2016-01-02 - 13:50 | over 9 years |
| 1.9 | BSD | 13 | 2015-12-01 - 23:55 | over 9 years |
| 1.8.19 | BSD | 5 | 2018-03-06 - 14:22 | over 7 years |
| 1.8.18 | BSD | 7 | 2017-04-04 - 14:07 | about 8 years |
| 1.8.17 | BSD | 9 | 2016-12-01 - 23:03 | over 8 years |
| 1.8.16 | BSD | 9 | 2016-11-01 - 14:09 | over 8 years |
| 1.8.15 | BSD | 11 | 2016-09-26 - 18:30 | almost 9 years |