Python/django/2.2.24
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
https://pypi.org/project/django
BSD
2 Security Vulnerabilities
Infinite Loop in Django
Published date: 2022-02-04T00:00:26Z
CVE: CVE-2022-23833
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2022-23833
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
- https://github.com/advisories/GHSA-6cw3-g6wv-c2xv
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
- https://security.netapp.com/advisory/ntap-20220221-0003/
- https://www.debian.org/security/2022/dsa-5254
- https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a
- https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
Affected versions:
["4.0", "4.0.1", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2.21", "2.2.22", "2.2.23", "2.2.24", "2.2.25", "2.2.26"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
Cross-site Scripting in Django
Published date: 2022-02-04T00:00:33Z
CVE: CVE-2022-22818
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2022-22818
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
- https://github.com/advisories/GHSA-95rw-fx8r-36v6
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
- https://security.netapp.com/advisory/ntap-20220221-0003/
- https://www.debian.org/security/2022/dsa-5254
- https://github.com/django/django/commit/01422046065d2b51f8f613409cad2c81b39487e5
- https://github.com/django/django/commit/1a1e8278c46418bde24c86a65443b0674bae65e2
- https://github.com/django/django/commit/c27a7eb9f40b64990398978152e62b6ff839c2e6
- https://docs.djangoproject.com/en/4.0/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
- https://security.netapp.com/advisory/ntap-20220221-0003
- https://www.djangoproject.com/weblog/2022/feb/01/security-releases
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-19.yaml
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
Affected versions:
["4.0", "4.0.1", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "2.2.12", "2.2.17", "2.2.18", "2.2.9", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.21", "2.2.22", "2.2.23", "2.2.24", "2.2.25", "2.2.26"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
400 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 1.11.22 | BSD | 8 | 2019-07-01 - 07:19 | about 6 years |
| 1.11.21 | BSD | 9 | 2019-06-03 - 10:10 | about 6 years |
| 1.11.20 | BSD | 10 | 2019-02-11 - 15:10 | over 6 years |
| 1.11.18 | BSD | 11 | 2019-01-04 - 14:10 | over 6 years |
| 1.11.17 | BSD | 12 | 2018-12-03 - 17:02 | over 6 years |
| 1.11.16 | BSD | 12 | 2018-10-01 - 09:22 | over 6 years |
| 1.11.15 | BSD | 12 | 2018-08-01 - 13:45 | almost 7 years |
| 1.11.14 | BSD | 12 | 2018-07-02 - 09:01 | almost 7 years |
| 1.11.13 | BSD | 12 | 2018-05-02 - 01:54 | about 7 years |
| 1.11.12 | BSD | 12 | 2018-04-03 - 02:45 | about 7 years |
| 1.11.11 | BSD | 12 | 2018-03-06 - 14:15 | over 7 years |
| 1.11.10 | BSD | 14 | 2018-02-01 - 14:40 | over 7 years |
| 1.11.9 | BSD | 15 | 2018-01-02 - 01:01 | over 7 years |
| 1.11.8 | BSD | 15 | 2017-12-02 - 14:20 | over 7 years |
| 1.11.7 | BSD | 14 | 2017-11-02 - 01:26 | over 7 years |
| 1.11.6 | BSD | 14 | 2017-10-05 - 18:21 | over 7 years |
| 1.11.5 | BSD | 14 | 2017-09-05 - 15:18 | almost 8 years |
| 1.11.4 | BSD | 15 | 2017-08-01 - 12:24 | almost 8 years |
| 1.11.3 | BSD | 15 | 2017-07-01 - 23:24 | almost 8 years |
| 1.11.2 | BSD | 15 | 2017-06-01 - 16:47 | about 8 years |
| 1.11.1 | BSD | 15 | 2017-05-06 - 13:26 | about 8 years |
| 1.11 | BSD | 15 | 2017-04-04 - 15:59 | about 8 years |
| 1.10.8 | BSD | 5 | 2017-09-05 - 15:31 | almost 8 years |
| 1.10.7 | BSD | 6 | 2017-04-04 - 14:27 | about 8 years |
| 1.10.6 | BSD | 8 | 2017-03-01 - 13:37 | over 8 years |
| 1.10.5 | BSD | 8 | 2017-01-04 - 19:22 | over 8 years |
| 1.10.4 | BSD | 8 | 2016-12-01 - 23:46 | over 8 years |
| 1.10.3 | BSD | 8 | 2016-11-01 - 13:56 | over 8 years |
| 1.10.2 | BSD | 10 | 2016-10-01 - 20:05 | over 8 years |
| 1.10.1 | BSD | 10 | 2016-09-01 - 23:17 | almost 9 years |
| 1.10 | BSD | 10 | 2016-08-01 - 18:32 | almost 9 years |
| 1.9.13 | BSD | 5 | 2017-04-04 - 14:14 | about 8 years |
| 1.9.12 | BSD | 7 | 2016-12-01 - 23:16 | over 8 years |
| 1.9.11 | BSD | 7 | 2016-11-01 - 14:02 | over 8 years |
| 1.9.10 | BSD | 9 | 2016-09-26 - 18:32 | almost 9 years |
| 1.9.9 | BSD | 10 | 2016-08-01 - 18:10 | almost 9 years |
| 1.9.8 | BSD | 10 | 2016-07-18 - 18:19 | almost 9 years |
| 1.9.7 | BSD | 11 | 2016-06-04 - 23:43 | about 9 years |
| 1.9.6 | BSD | 11 | 2016-05-02 - 22:33 | about 9 years |
| 1.9.5 | BSD | 11 | 2016-04-01 - 17:47 | about 9 years |
| 1.9.4 | BSD | 11 | 2016-03-05 - 14:31 | over 9 years |
| 1.9.3 | BSD | 11 | 2016-03-01 - 17:00 | over 9 years |
| 1.9.2 | BSD | 12 | 2016-02-01 - 17:17 | over 9 years |
| 1.9.1 | BSD | 13 | 2016-01-02 - 13:50 | over 9 years |
| 1.9 | BSD | 13 | 2015-12-01 - 23:55 | over 9 years |
| 1.8.19 | BSD | 5 | 2018-03-06 - 14:22 | over 7 years |
| 1.8.18 | BSD | 7 | 2017-04-04 - 14:07 | about 8 years |
| 1.8.17 | BSD | 9 | 2016-12-01 - 23:03 | over 8 years |
| 1.8.16 | BSD | 9 | 2016-11-01 - 14:09 | over 8 years |
| 1.8.15 | BSD | 11 | 2016-09-26 - 18:30 | almost 9 years |