Python/django/2.2.24
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
https://pypi.org/project/django
BSD
3 Security Vulnerabilities
Infinite Loop in Django
Published date: 2022-02-04T00:00:26Z
CVE: CVE-2022-23833
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2022-23833
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
- https://github.com/advisories/GHSA-6cw3-g6wv-c2xv
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
- https://security.netapp.com/advisory/ntap-20220221-0003/
- https://www.debian.org/security/2022/dsa-5254
- https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a
- https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
Affected versions:
["4.0", "4.0.1", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2.21", "2.2.22", "2.2.23", "2.2.24", "2.2.25", "2.2.26"]
Secure versions:
[4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6]
Recommendation:
Update to version 5.0.6.
Cross-site Scripting in Django
Published date: 2022-02-04T00:00:33Z
CVE: CVE-2022-22818
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2022-22818
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
- https://github.com/advisories/GHSA-95rw-fx8r-36v6
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
- https://security.netapp.com/advisory/ntap-20220221-0003/
- https://www.debian.org/security/2022/dsa-5254
- https://github.com/django/django/commit/01422046065d2b51f8f613409cad2c81b39487e5
- https://github.com/django/django/commit/1a1e8278c46418bde24c86a65443b0674bae65e2
- https://github.com/django/django/commit/c27a7eb9f40b64990398978152e62b6ff839c2e6
- https://docs.djangoproject.com/en/4.0/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
- https://security.netapp.com/advisory/ntap-20220221-0003
- https://www.djangoproject.com/weblog/2022/feb/01/security-releases
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
Affected versions:
["4.0", "4.0.1", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2.21", "2.2.22", "2.2.23", "2.2.24", "2.2.25", "2.2.26"]
Secure versions:
[4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6]
Recommendation:
Update to version 5.0.6.
Django denial-of-service attack in the intcomma template filter
Published date: 2024-02-07T00:30:25Z
CVE: CVE-2024-24680
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2024-24680
- https://docs.djangoproject.com/en/5.0/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://www.djangoproject.com/weblog/2024/feb/06/security-releases/
- https://github.com/django/django/commit/16a8fe18a3b81250f4fa57e3f93f0599dc4895bc
- https://github.com/django/django/commit/55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9
- https://github.com/django/django/commit/572ea07e84b38ea8de0551f4b4eda685d91d09d2
- https://github.com/django/django/commit/c1171ffbd570db90ca206c30f8e2b9f691243820
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-28.yaml
- https://github.com/advisories/GHSA-xxj9-f6rv-m3x4
- https://docs.djangoproject.com/en/5.0/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX
- https://www.djangoproject.com/weblog/2024/feb/06/security-releases
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
Affected versions:
["5.0", "5.0.1", "4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.2.7", "4.2.8", "4.2.9", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.10", "1.10.1", "1.10.2", "1.10.3", "1.10.4", "1.10.5", "1.10.6", "1.10.7", "1.10.8", "1.10a1", "1.10b1", "1.10rc1", "1.11", "1.11.1", "1.11.10", "1.11.11", "1.11.12", "1.11.13", "1.11.14", "1.11.15", "1.11.16", "1.11.17", "1.11.18", "1.11.2", "1.11.20", "1.11.21", "1.11.22", "1.11.23", "1.11.24", "1.11.25", "1.11.26", "1.11.27", "1.11.28", "1.11.29", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.11.8", "1.11.9", "1.11a1", "1.11b1", "1.11rc1", "1.2", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.3", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.3.7", "1.4", "1.4.1", "1.4.10", "1.4.11", "1.4.12", "1.4.13", "1.4.14", "1.4.15", "1.4.16", "1.4.17", "1.4.18", "1.4.19", "1.4.2", "1.4.20", "1.4.21", "1.4.22", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.9", "1.5", "1.5.1", "1.5.10", "1.5.11", "1.5.12", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "1.6", "1.6.1", "1.6.10", "1.6.11", "1.6.2", "1.6.3", "1.6.4", "1.6.5", "1.6.6", "1.6.7", "1.6.8", "1.6.9", "1.7", "1.7.1", "1.7.10", "1.7.11", "1.7.2", "1.7.3", "1.7.4", "1.7.5", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8", "1.8.1", "1.8.10", "1.8.11", "1.8.12", "1.8.13", "1.8.14", "1.8.15", "1.8.16", "1.8.17", "1.8.18", "1.8.19", "1.8.2", "1.8.3", "1.8.4", "1.8.5", "1.8.6", "1.8.7", "1.8.8", "1.8.9", "1.8a1", "1.8b1", "1.8b2", "1.8c1", "1.9", "1.9.1", "1.9.10", "1.9.11", "1.9.12", "1.9.13", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.9.8", "1.9.9", "1.9a1", "1.9b1", "1.9rc1", "1.9rc2", "2.0", "2.0.1", "2.0.10", "2.0.12", "2.0.13", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.0a1", "2.0b1", "2.0rc1", "2.1", "2.1.1", "2.1.10", "2.1.11", "2.1.12", "2.1.13", "2.1.14", "2.1.15", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.7", "2.1.8", "2.1.9", "2.1a1", "2.1b1", "2.1rc1", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2a1", "2.2b1", "2.2rc1", "3.0", "3.0.1", "3.0.10", "3.0.11", "3.0.12", "3.0.13", "3.0.14", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.0a1", "3.0b1", "3.0rc1", "3.1", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "3.1.6", "3.1.7", "3.1.8", "3.1a1", "3.1b1", "3.1rc1", "3.2", "3.2a1", "3.2b1", "3.2rc1", "2.2.21", "3.1.9", "3.2.1", "2.2.22", "3.1.10", "3.2.2", "2.2.23", "3.1.11", "3.2.3", "2.2.24", "3.1.12", "3.2.4", "3.1.13", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "2.2.25", "3.1.14", "3.2.10", "2.2.26", "3.2.11", "2.2.27", "3.2.12", "2.2.28", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20", "3.2.21", "3.2.22", "3.2.23"]
Secure versions:
[4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6]
Recommendation:
Update to version 5.0.6.
360 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 1.2.6 | BSD | 27 | 2011-09-10 - 03:42 | over 12 years |
| 1.2.5 | BSD | 27 | 2011-02-09 - 04:08 | over 13 years |
| 1.2.4 | BSD | 30 | 2010-12-23 - 05:15 | over 13 years |
| 1.2.3 | BSD | 32 | 2010-09-11 - 08:50 | over 13 years |
| 1.2.2 | BSD | 32 | 2010-09-09 - 02:41 | over 13 years |
| 1.2.1 | BSD | 33 | 2010-05-24 - 21:19 | almost 14 years |
| 1.2 | BSD | 33 | 2010-05-17 - 20:04 | about 14 years |
| 1.1.4 | BSD | 25 | 2011-02-09 - 04:13 | over 13 years |
| 1.1.3 | BSD | 28 | 2010-12-23 - 05:14 | over 13 years |
| 1.1.2 | BSD | 30 | ||
| 1.1.1 | BSD | 30 | ||
| 1.1 | BSD | 30 | ||
| 1.0.4 | BSD | 27 | ||
| 1.0.3 | BSD | 27 | ||
| 1.0.2 | BSD | 27 | ||
| 1.0.1 | BSD | 27 | ||
| 4.0b1 | BSD-3-Clause AND BSD | 1 | 2021-10-25 - 09:23 | over 2 years |
| 4.0a1 | BSD-3-Clause AND BSD | 1 | 2021-09-21 - 19:08 | over 2 years |
| 4.0rc1 | BSD-3-Clause AND BSD | 1 | 2021-11-22 - 06:37 | over 2 years |
| 3.2rc1 | BSD-3-Clause AND BSD | 2 | 2021-03-18 - 13:55 | about 3 years |
| 3.2a1 | BSD-3-Clause AND BSD | 2 | 2021-01-19 - 13:04 | over 3 years |
| 3.2b1 | BSD-3-Clause AND BSD | 2 | 2021-02-19 - 09:35 | about 3 years |
| 3.1a1 | BSD-3-Clause AND BSD | 3 | 2020-05-14 - 09:41 | about 4 years |
| 3.1b1 | BSD-3-Clause AND BSD | 4 | 2020-06-15 - 08:15 | almost 4 years |
| 3.0b1 | BSD | 2 | 2019-10-14 - 10:21 | over 4 years |
| 3.0a1 | BSD | 1 | 2019-09-10 - 09:19 | over 4 years |
| 3.0rc1 | BSD | 2 | 2019-11-18 - 08:51 | over 4 years |
| 3.1rc1 | BSD-3-Clause AND BSD | 4 | 2020-07-20 - 06:38 | almost 4 years |
| 2.2rc1 | BSD | 6 | 2019-03-18 - 08:57 | about 5 years |
| 2.2b1 | BSD | 6 | 2019-02-11 - 10:33 | over 5 years |
| 2.2a1 | BSD | 6 | 2019-01-17 - 15:35 | over 5 years |
| 2.1b1 | BSD | 6 | 2018-06-18 - 23:55 | almost 6 years |
| 2.1a1 | BSD | 6 | 2018-05-18 - 01:01 | about 6 years |
| 2.1rc1 | BSD | 6 | 2018-07-18 - 17:35 | almost 6 years |
| 2.0rc1 | BSD | 3 | 2017-11-15 - 23:51 | over 6 years |
| 2.0a1 | BSD | 3 | 2017-09-22 - 18:09 | over 6 years |
| 2.0b1 | BSD | 3 | 2017-10-17 - 02:00 | over 6 years |
| 1.9rc2 | BSD | 3 | 2015-11-24 - 17:35 | over 8 years |
| 1.9b1 | BSD | 4 | 2015-10-20 - 01:17 | over 8 years |
| 1.9a1 | BSD | 4 | 2015-09-24 - 00:20 | over 8 years |
| 1.9rc1 | BSD | 4 | 2015-11-16 - 21:10 | over 8 years |
| 1.8b2 | BSD | 7 | 2015-03-09 - 15:55 | about 9 years |
| 1.8b1 | BSD | 8 | 2015-02-25 - 13:42 | about 9 years |
| 1.8c1 | BSD | 6 | 2015-03-18 - 23:39 | about 9 years |
| 1.8a1 | BSD | 7 | 2015-01-16 - 22:25 | over 9 years |
| 1.11b1 | BSD | 26 | 2017-02-20 - 23:21 | about 7 years |
| 1.11a1 | BSD | 26 | 2017-01-18 - 01:01 | over 7 years |
| 1.11rc1 | BSD | 25 | 2017-03-21 - 22:55 | about 7 years |
| 1.10rc1 | BSD | 25 | 2016-07-18 - 18:04 | almost 8 years |
| 1.10a1 | BSD | 26 | 2016-05-20 - 12:16 | almost 8 years |
| 1.10b1 | BSD | 26 | 2016-06-22 - 01:15 | almost 8 years |
| 5.0rc1 | BSD-3-Clause AND BSD | |||
| 5.0b1 | BSD-3-Clause AND BSD | |||
| 5.0a1 | BSD-3-Clause AND BSD | |||
| 4.2rc1 | BSD-3-Clause AND BSD | |||
| 4.2b1 | BSD-3-Clause AND BSD | |||
| 4.2a1 | BSD-3-Clause AND BSD | |||
| 4.1rc1 | BSD-3-Clause AND BSD | 2 | ||
| 4.1a1 | BSD-3-Clause AND BSD | 2 | 2022-05-18 - 05:54 | about 2 years |
| 4.1b1 | BSD-3-Clause AND BSD | 2 | 2022-06-21 - 09:20 | almost 2 years |