Python/django/2.1b1

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

https://pypi.org/project/django
BSD

3 Security Vulnerabilities

Path Traversal in Django

Published date: 2021-06-10T17:21:00Z
CVE: CVE-2021-33203
Links:

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.

Affected versions: ["1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.1.3", "1.1.4", "1.10", "1.10.1", "1.10b1", "1.10rc1", "1.11.1", "1.11.12", "1.11.14", "1.11.15", "1.11.18", "1.11.22", "1.11.23", "1.11.24", "1.11.26", "1.11.27", "1.11.3", "1.11.8", "1.11.9", "1.11rc1", "1.2", "1.2.2", "1.2.4", "1.2.5", "1.2.6", "1.3", "1.3.4", "1.3.7", "1.4", "1.4.10", "1.4.12", "1.4.16", "1.4.17", "1.4.19", "1.4.22", "1.4.7", "1.4.8", "1.5.1", "1.5.3", "1.5.5", "1.5.6", "1.5.7", "1.6", "1.6.1", "1.6.10", "1.6.11", "1.6.3", "1.6.4", "1.6.6", "1.7.10", "1.7.11", "1.7.2", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8", "1.8.1", "1.8.10", "1.8.13", "1.8.15", "1.8.16", "1.8.17", "1.8.18", "1.8.2", "1.8.5", "1.8.6", "1.8.9", "1.8a1", "1.8b1", "1.8b2", "1.8c1", "1.9", "1.9.1", "1.9.11", "1.9.8", "1.9.9", "1.9b1", "1.9rc2", "2.0", "2.0.1", "2.0.3", "2.0.4", "2.0.5", "2.0a1", "2.1.1", "2.1.13", "2.1.14", "2.1.15", "2.1.2", "2.1.3", "2.1.4", "2.1.8", "2.1a1", "2.2.12", "2.2.17", "2.2.18", "2.2.9", "1.1", "1.1.1", "1.1.2", "1.10.2", "1.10.3", "1.10.4", "1.10.5", "1.10.6", "1.10.7", "1.10.8", "1.10a1", "1.11", "1.11.10", "1.11.11", "1.11.13", "1.11.16", "1.11.17", "1.11.2", "1.11.20", "1.11.21", "1.11.25", "1.11.28", "1.11.29", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.11a1", "1.11b1", "1.2.1", "1.2.3", "1.2.7", "1.3.1", "1.3.2", "1.3.3", "1.3.5", "1.3.6", "1.4.1", "1.4.11", "1.4.13", "1.4.14", "1.4.15", "1.4.18", "1.4.2", "1.4.20", "1.4.21", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.9", "1.5", "1.5.10", "1.5.11", "1.5.12", "1.5.2", "1.5.4", "1.5.8", "1.5.9", "1.6.2", "1.6.5", "1.6.7", "1.6.8", "1.6.9", "1.7", "1.7.1", "1.7.3", "1.7.4", "1.7.5", "1.8.11", "1.8.12", "1.8.14", "1.8.19", "1.8.3", "1.8.4", "1.8.7", "1.8.8", "1.9.10", "1.9.12", "1.9.13", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.9a1", "1.9rc1", "2.0.10", "2.0.12", "2.0.13", "2.0.2", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.0b1", "2.0rc1", "2.1", "2.1.10", "2.1.11", "2.1.12", "2.1.5", "2.1.7", "2.1.9", "2.1b1", "2.1rc1", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2a1", "2.2b1", "2.2rc1", "2.2.21", "2.2.22", "2.2.23"]
Secure versions: [2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation: Update to version 5.2.3.

XSS in jQuery as used in Drupal, Backdrop CMS, and other products

Published date: 2019-04-26T16:29:11Z
CVE: CVE-2019-11358
Links:

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

Affected versions: ["2.0b1", "2.0rc1", "2.1b1", "2.1rc1", "2.2", "2.2.1", "2.2a1", "2.2b1", "2.2rc1", "2.0", "2.0.1", "2.0.3", "2.0.4", "2.0.5", "2.0a1", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.8", "2.1a1", "2.0.10", "2.0.12", "2.0.13", "2.0.2", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.1", "2.1.5", "2.1.7"]
Secure versions: [2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation: Update to version 5.2.3.

Data leakage via cache key collision in Django

Published date: 2020-06-05T16:20:44Z
CVE: CVE-2020-13254
Links:

An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.

Affected versions: ["3.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "2.0", "2.0.1", "2.0.10", "2.0.12", "2.0.13", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.1", "2.1.1", "2.1.10", "2.1.11", "2.1.12", "2.1.13", "2.1.14", "2.1.15", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.7", "2.1.8", "2.1.9", "2.1a1", "2.1b1", "2.1rc1", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2a1", "2.2b1", "2.2rc1"]
Secure versions: [2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation: Update to version 5.2.3.

400 Other Versions

Version License Security Released
1.5.1 BSD 16 2013-03-28 - 20:57 over 12 years
1.5 BSD 16 2013-02-26 - 19:30 over 12 years
1.4.22 BSD 10 2015-08-18 - 17:22 almost 10 years
1.4.21 BSD 11 2015-07-08 - 19:56 almost 10 years
1.4.20 BSD 13 2015-03-19 - 00:03 over 10 years
1.4.19 BSD 13 2015-01-27 - 17:11 over 10 years
1.4.18 BSD 13 2015-01-13 - 18:54 over 10 years
1.4.17 BSD 16 2015-01-03 - 02:20 over 10 years
1.4.16 BSD 16 2014-10-22 - 16:37 over 10 years
1.4.15 BSD 16 2014-09-02 - 20:44 almost 11 years
1.4.14 BSD 16 2014-08-20 - 20:01 almost 11 years
1.4.13 BSD 19 2014-05-14 - 18:27 about 11 years
1.4.12 BSD 21 2014-04-28 - 20:30 about 11 years
1.4.11 BSD 21 2014-04-21 - 22:40 about 11 years
1.4.10 BSD 23 2013-11-06 - 14:21 over 11 years
1.4.9 BSD 23 2013-10-25 - 04:38 over 11 years
1.4.8 BSD 23 2013-09-15 - 06:22 almost 12 years
1.4.7 BSD 24 2013-09-11 - 01:18 almost 12 years
1.4.6 BSD 25 2013-08-13 - 16:52 almost 12 years
1.4.5 BSD 26 2013-02-20 - 19:54 over 12 years
1.4.4 BSD 26 2013-02-19 - 20:27 over 12 years
1.4.3 BSD 28 2012-12-10 - 21:46 over 12 years
1.4.2 BSD 28 2012-10-17 - 22:18 over 12 years
1.4.1 BSD 29 2012-07-30 - 22:48 almost 13 years
1.4 BSD 30 2012-03-23 - 18:00 over 13 years
1.3.7 BSD 20 2013-02-20 - 20:03 over 12 years
1.3.6 BSD 20 2013-02-19 - 20:32 over 12 years
1.3.5 BSD 22 2012-12-10 - 21:39 over 12 years
1.3.4 BSD 22 2013-03-05 - 22:33 over 12 years
1.3.3 BSD 23 2012-08-01 - 22:08 almost 13 years
1.3.2 BSD 23 2012-07-30 - 23:02 almost 13 years
1.3.1 BSD 25 2011-09-10 - 03:36 almost 14 years
1.3 BSD 28 2011-03-23 - 06:09 over 14 years
1.2.7 BSD 22 2011-09-11 - 03:05 almost 14 years
1.2.6 BSD 26 2011-09-10 - 03:42 almost 14 years
1.2.5 BSD 26 2011-02-09 - 04:08 over 14 years
1.2.4 BSD 29 2010-12-23 - 05:15 over 14 years
1.2.3 BSD 29 2010-09-11 - 08:50 almost 15 years
1.2.2 BSD 29 2010-09-09 - 02:41 almost 15 years
1.2.1 BSD 30 2010-05-24 - 21:19 about 15 years
1.2 BSD 30 2010-05-17 - 20:04 about 15 years
1.1.4 BSD 24 2011-02-09 - 04:13 over 14 years
1.1.3 BSD 27 2010-12-23 - 05:14 over 14 years
1.1.2 BSD 29 1970-01-01 - 00:00 over 55 years
1.1.1 BSD 29 1970-01-01 - 00:00 over 55 years
1.1 BSD 29 1970-01-01 - 00:00 over 55 years
1.0.4 BSD 26 1970-01-01 - 00:00 over 55 years
1.0.3 BSD 26 1970-01-01 - 00:00 over 55 years
1.0.2 BSD 26 1970-01-01 - 00:00 over 55 years
1.0.1 BSD 26 1970-01-01 - 00:00 over 55 years