Python/django/2.1.12
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
https://pypi.org/project/django
BSD
3 Security Vulnerabilities
Path Traversal in Django
Published date: 2021-06-10T17:21:00Z
CVE: CVE-2021-33203
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-33203
- https://github.com/advisories/GHSA-68w8-qjq3-2gfm
- https://docs.djangoproject.com/en/3.2/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
- https://security.netapp.com/advisory/ntap-20210727-0004/
- https://github.com/django/django/commit/053cc9534d174dc89daba36724ed2dcb36755b90
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
- https://github.com/django/django/commit/20c67a0693c4ede2b09af02574823485e82e4c8f
- https://github.com/django/django/commit/dfaba12cda060b8b292ae1d271b44bf810b1c5b9
- https://docs.djangoproject.com/en/3.2/releases/security
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-98.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
- https://security.netapp.com/advisory/ntap-20210727-0004
- https://www.djangoproject.com/weblog/2021/jun/02/security-releases
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.
Affected versions:
["1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.1.3", "1.1.4", "1.10", "1.10.1", "1.10b1", "1.10rc1", "1.11.1", "1.11.12", "1.11.14", "1.11.15", "1.11.18", "1.11.22", "1.11.23", "1.11.24", "1.11.26", "1.11.27", "1.11.3", "1.11.8", "1.11.9", "1.11rc1", "1.2", "1.2.2", "1.2.4", "1.2.5", "1.2.6", "1.3", "1.3.4", "1.3.7", "1.4", "1.4.10", "1.4.12", "1.4.16", "1.4.17", "1.4.19", "1.4.22", "1.4.7", "1.4.8", "1.5.1", "1.5.3", "1.5.5", "1.5.6", "1.5.7", "1.6", "1.6.1", "1.6.10", "1.6.11", "1.6.3", "1.6.4", "1.6.6", "1.7.10", "1.7.11", "1.7.2", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8", "1.8.1", "1.8.10", "1.8.13", "1.8.15", "1.8.16", "1.8.17", "1.8.18", "1.8.2", "1.8.5", "1.8.6", "1.8.9", "1.8a1", "1.8b1", "1.8b2", "1.8c1", "1.9", "1.9.1", "1.9.11", "1.9.8", "1.9.9", "1.9b1", "1.9rc2", "2.0", "2.0.1", "2.0.3", "2.0.4", "2.0.5", "2.0a1", "2.1.1", "2.1.13", "2.1.14", "2.1.15", "2.1.2", "2.1.3", "2.1.4", "2.1.8", "2.1a1", "2.2.12", "2.2.17", "2.2.18", "2.2.9", "1.1", "1.1.1", "1.1.2", "1.10.2", "1.10.3", "1.10.4", "1.10.5", "1.10.6", "1.10.7", "1.10.8", "1.10a1", "1.11", "1.11.10", "1.11.11", "1.11.13", "1.11.16", "1.11.17", "1.11.2", "1.11.20", "1.11.21", "1.11.25", "1.11.28", "1.11.29", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.11a1", "1.11b1", "1.2.1", "1.2.3", "1.2.7", "1.3.1", "1.3.2", "1.3.3", "1.3.5", "1.3.6", "1.4.1", "1.4.11", "1.4.13", "1.4.14", "1.4.15", "1.4.18", "1.4.2", "1.4.20", "1.4.21", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.9", "1.5", "1.5.10", "1.5.11", "1.5.12", "1.5.2", "1.5.4", "1.5.8", "1.5.9", "1.6.2", "1.6.5", "1.6.7", "1.6.8", "1.6.9", "1.7", "1.7.1", "1.7.3", "1.7.4", "1.7.5", "1.8.11", "1.8.12", "1.8.14", "1.8.19", "1.8.3", "1.8.4", "1.8.7", "1.8.8", "1.9.10", "1.9.12", "1.9.13", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.9a1", "1.9rc1", "2.0.10", "2.0.12", "2.0.13", "2.0.2", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.0b1", "2.0rc1", "2.1", "2.1.10", "2.1.11", "2.1.12", "2.1.5", "2.1.7", "2.1.9", "2.1b1", "2.1rc1", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2a1", "2.2b1", "2.2rc1", "2.2.21", "2.2.22", "2.2.23"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
Django allows unintended model editing
Published date: 2019-12-04T21:26:28Z
CVE: CVE-2019-19118
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2019-19118
- https://github.com/advisories/GHSA-hvmf-r92r-27hr
- https://github.com/django/django/commit/103ebe2b5ff1b2614b85a52c239f471904d26244
- https://github.com/django/django/commit/36f580a17f0b3cb087deadf3b65eea024f479c21
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#!topic/django-announce/GjGqDvtNmWQ
- https://www.djangoproject.com/weblog/2019/dec/02/security-releases/
- http://www.openwall.com/lists/oss-security/2019/12/02/1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5/
- https://security.netapp.com/advisory/ntap-20191217-0003/
- https://security.gentoo.org/glsa/202004-17
- https://docs.djangoproject.com/en/dev/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5
- https://security.netapp.com/advisory/ntap-20191217-0003
- https://www.djangoproject.com/weblog/2019/dec/02/security-releases
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)
Affected versions:
["2.2", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.1", "2.1.1", "2.1.10", "2.1.11", "2.1.12", "2.1.13", "2.1.14", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.7", "2.1.8", "2.1.9"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
Data leakage via cache key collision in Django
Published date: 2020-06-05T16:20:44Z
CVE: CVE-2020-13254
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2020-13254
- https://github.com/advisories/GHSA-wpjr-j57x-wxfw
- https://docs.djangoproject.com/en/3.0/releases/security/
- https://groups.google.com/d/msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ
- https://www.djangoproject.com/weblog/2020/jun/03/security-releases/
- https://lists.debian.org/debian-lts-announce/2020/06/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
- https://security.netapp.com/advisory/ntap-20200611-0002/
- https://usn.ubuntu.com/4381-1/
- https://usn.ubuntu.com/4381-2/
- https://www.debian.org/security/2020/dsa-4705
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://github.com/django/django/commit/07e59caa02831c4569bbebb9eb773bdd9cb4b206
- https://github.com/django/django/commit/84b2da5552e100ae3294f564f6c862fef8d0e693
An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
Affected versions:
["3.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "2.0", "2.0.1", "2.0.10", "2.0.12", "2.0.13", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.1", "2.1.1", "2.1.10", "2.1.11", "2.1.12", "2.1.13", "2.1.14", "2.1.15", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.7", "2.1.8", "2.1.9", "2.1a1", "2.1b1", "2.1rc1", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2a1", "2.2b1", "2.2rc1"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
400 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 4.2.4 | BSD-3-Clause AND BSD | 7 | 1970-01-01 - 00:00 | over 55 years |
| 4.2.3 | BSD-3-Clause AND BSD | 7 | 1970-01-01 - 00:00 | over 55 years |
| 4.2.2 | BSD-3-Clause AND BSD | 8 | 1970-01-01 - 00:00 | over 55 years |
| 4.2.1 | BSD-3-Clause AND BSD | 8 | 1970-01-01 - 00:00 | over 55 years |
| 4.2 | BSD-3-Clause AND BSD | 8 | 1970-01-01 - 00:00 | over 55 years |
| 4.1.13 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 4.1.12 | BSD-3-Clause AND BSD | 1 | 1970-01-01 - 00:00 | over 55 years |
| 4.1.11 | BSD-3-Clause AND BSD | 2 | 1970-01-01 - 00:00 | over 55 years |
| 4.1.10 | BSD-3-Clause AND BSD | 3 | 1970-01-01 - 00:00 | over 55 years |
| 4.1.9 | BSD-3-Clause AND BSD | 4 | 1970-01-01 - 00:00 | over 55 years |
| 4.1.8 | BSD-3-Clause AND BSD | 4 | 1970-01-01 - 00:00 | over 55 years |
| 4.1.7 | BSD-3-Clause AND BSD | 4 | 1970-01-01 - 00:00 | over 55 years |
| 4.1.6 | BSD-3-Clause AND BSD | 4 | 1970-01-01 - 00:00 | over 55 years |
| 4.1.5 | BSD-3-Clause AND BSD | 5 | 1970-01-01 - 00:00 | over 55 years |
| 4.1.4 | BSD-3-Clause AND BSD | 5 | 1970-01-01 - 00:00 | over 55 years |
| 4.1.3 | BSD-3-Clause AND BSD | 5 | 1970-01-01 - 00:00 | over 55 years |
| 4.1.2 | BSD-3-Clause AND BSD | 5 | 1970-01-01 - 00:00 | over 55 years |
| 4.1.1 | BSD-3-Clause AND BSD | 6 | 1970-01-01 - 00:00 | over 55 years |
| 4.1 | BSD-3-Clause AND BSD | 6 | 1970-01-01 - 00:00 | over 55 years |
| 4.0.10 | BSD-3-Clause AND BSD | 1 | 1970-01-01 - 00:00 | over 55 years |
| 4.0.9 | BSD-3-Clause AND BSD | 1 | 1970-01-01 - 00:00 | over 55 years |
| 4.0.8 | BSD-3-Clause AND BSD | 2 | 1970-01-01 - 00:00 | over 55 years |
| 4.0.7 | BSD-3-Clause AND BSD | 3 | 1970-01-01 - 00:00 | over 55 years |
| 4.0.6 | BSD-3-Clause AND BSD | 3 | 2022-07-04 - 07:57 | almost 3 years |
| 4.0.5 | BSD-3-Clause AND BSD | 4 | 2022-06-01 - 12:22 | about 3 years |
| 4.0.4 | BSD-3-Clause AND BSD | 4 | 2022-04-11 - 07:53 | about 3 years |
| 4.0.3 | BSD-3-Clause AND BSD | 4 | 2022-03-01 - 08:47 | over 3 years |
| 4.0.2 | BSD-3-Clause AND BSD | 4 | 2022-02-01 - 07:56 | over 3 years |
| 4.0.1 | BSD-3-Clause AND BSD | 6 | 2022-01-04 - 09:53 | over 3 years |
| 4.0 | BSD-3-Clause AND BSD | 6 | 2021-12-07 - 09:19 | over 3 years |
| 3.2.25 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 3.2.24 | BSD-3-Clause AND BSD | 1 | 1970-01-01 - 00:00 | over 55 years |
| 3.2.23 | BSD-3-Clause AND BSD | 1 | 1970-01-01 - 00:00 | over 55 years |
| 3.2.22 | BSD-3-Clause AND BSD | 2 | 1970-01-01 - 00:00 | over 55 years |
| 3.2.21 | BSD-3-Clause AND BSD | 3 | 1970-01-01 - 00:00 | over 55 years |
| 3.2.20 | BSD-3-Clause AND BSD | 4 | 1970-01-01 - 00:00 | over 55 years |
| 3.2.19 | BSD-3-Clause AND BSD | 5 | 1970-01-01 - 00:00 | over 55 years |
| 3.2.18 | BSD-3-Clause AND BSD | 5 | 1970-01-01 - 00:00 | over 55 years |
| 3.2.17 | BSD-3-Clause AND BSD | 5 | 1970-01-01 - 00:00 | over 55 years |
| 3.2.16 | BSD-3-Clause AND BSD | 6 | 1970-01-01 - 00:00 | over 55 years |
| 3.2.15 | BSD-3-Clause AND BSD | 7 | 1970-01-01 - 00:00 | over 55 years |
| 3.2.14 | BSD-3-Clause AND BSD | 7 | 2022-07-04 - 07:57 | almost 3 years |
| 3.2.13 | BSD-3-Clause AND BSD | 8 | 2022-04-11 - 07:52 | about 3 years |
| 3.2.12 | BSD-3-Clause AND BSD | 8 | 2022-02-01 - 07:56 | over 3 years |
| 3.2.11 | BSD-3-Clause AND BSD | 10 | 2022-01-04 - 09:53 | over 3 years |
| 3.2.10 | BSD-3-Clause AND BSD | 10 | 2021-12-07 - 07:34 | over 3 years |
| 3.2.9 | BSD-3-Clause AND BSD | 10 | 2021-11-01 - 09:31 | over 3 years |
| 3.2.8 | BSD-3-Clause AND BSD | 10 | 2021-10-05 - 07:46 | over 3 years |
| 3.2.7 | BSD-3-Clause AND BSD | 10 | 2021-09-01 - 05:57 | almost 4 years |
| 3.2.6 | BSD-3-Clause AND BSD | 10 | 2021-08-02 - 06:28 | almost 4 years |