Python/django/2.2.26
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
https://pypi.org/project/django
BSD
2 Security Vulnerabilities
Infinite Loop in Django
Published date: 2022-02-04T00:00:26Z
CVE: CVE-2022-23833
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2022-23833
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
- https://github.com/advisories/GHSA-6cw3-g6wv-c2xv
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
- https://security.netapp.com/advisory/ntap-20220221-0003/
- https://www.debian.org/security/2022/dsa-5254
- https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a
- https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
Affected versions:
["4.0", "4.0.1", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2.21", "2.2.22", "2.2.23", "2.2.24", "2.2.25", "2.2.26"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2.24, 4.2.25, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.12, 5.1.13, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2a1, 5.2b1, 5.2rc1, 6.0a1, 6.0b1]
Recommendation:
Update to version 5.2.7.
Cross-site Scripting in Django
Published date: 2022-02-04T00:00:33Z
CVE: CVE-2022-22818
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2022-22818
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
- https://github.com/advisories/GHSA-95rw-fx8r-36v6
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
- https://security.netapp.com/advisory/ntap-20220221-0003/
- https://www.debian.org/security/2022/dsa-5254
- https://github.com/django/django/commit/01422046065d2b51f8f613409cad2c81b39487e5
- https://github.com/django/django/commit/1a1e8278c46418bde24c86a65443b0674bae65e2
- https://github.com/django/django/commit/c27a7eb9f40b64990398978152e62b6ff839c2e6
- https://docs.djangoproject.com/en/4.0/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
- https://security.netapp.com/advisory/ntap-20220221-0003
- https://www.djangoproject.com/weblog/2022/feb/01/security-releases
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-19.yaml
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
Affected versions:
["4.0", "4.0.1", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "2.2.12", "2.2.17", "2.2.18", "2.2.9", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.21", "2.2.22", "2.2.23", "2.2.24", "2.2.25", "2.2.26"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2.24, 4.2.25, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.12, 5.1.13, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2a1, 5.2b1, 5.2rc1, 6.0a1, 6.0b1]
Recommendation:
Update to version 5.2.7.
410 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 3.2.13 | BSD-3-Clause AND BSD | 8 | 2022-04-11 - 07:52 | over 3 years |
| 3.2.12 | BSD-3-Clause AND BSD | 8 | 2022-02-01 - 07:56 | almost 4 years |
| 3.2.11 | BSD-3-Clause AND BSD | 10 | 2022-01-04 - 09:53 | almost 4 years |
| 3.2.10 | BSD-3-Clause AND BSD | 10 | 2021-12-07 - 07:34 | almost 4 years |
| 3.2.9 | BSD-3-Clause AND BSD | 10 | 2021-11-01 - 09:31 | about 4 years |
| 3.2.8 | BSD-3-Clause AND BSD | 10 | 2021-10-05 - 07:46 | about 4 years |
| 3.2.7 | BSD-3-Clause AND BSD | 10 | 2021-09-01 - 05:57 | about 4 years |
| 3.2.6 | BSD-3-Clause AND BSD | 10 | 2021-08-02 - 06:28 | over 4 years |
| 3.2.5 | BSD-3-Clause AND BSD | 10 | 2021-07-01 - 07:40 | over 4 years |
| 3.2.4 | BSD-3-Clause AND BSD | 10 | 2021-06-02 - 08:54 | over 4 years |
| 3.2.3 | BSD-3-Clause AND BSD | 11 | 2021-05-13 - 07:36 | over 4 years |
| 3.2.2 | BSD-3-Clause AND BSD | 11 | 2021-05-06 - 07:40 | over 4 years |
| 3.2.1 | BSD-3-Clause AND BSD | 11 | 2021-05-04 - 08:47 | over 4 years |
| 3.2 | BSD-3-Clause AND BSD | 11 | 2021-04-06 - 09:33 | over 4 years |
| 3.1.14 | BSD-3-Clause AND BSD | 2021-12-07 - 07:34 | almost 4 years | |
| 3.1.13 | BSD-3-Clause AND BSD | 2021-07-01 - 07:39 | over 4 years | |
| 3.1.12 | BSD-3-Clause AND BSD | 2021-06-02 - 08:53 | over 4 years | |
| 3.1.11 | BSD-3-Clause AND BSD | 1 | 2021-05-13 - 07:36 | over 4 years |
| 3.1.10 | BSD-3-Clause AND BSD | 1 | 2021-05-06 - 07:40 | over 4 years |
| 3.1.9 | BSD-3-Clause AND BSD | 1 | 2021-05-04 - 08:47 | over 4 years |
| 3.1.8 | BSD-3-Clause AND BSD | 1 | 2021-04-06 - 07:34 | over 4 years |
| 3.1.7 | BSD-3-Clause AND BSD | 1 | 2021-02-19 - 09:08 | over 4 years |
| 3.1.6 | BSD-3-Clause AND BSD | 1 | 2021-02-01 - 09:28 | almost 5 years |
| 3.1.5 | BSD-3-Clause AND BSD | 2 | 2021-01-04 - 07:54 | almost 5 years |
| 3.1.4 | BSD-3-Clause AND BSD | 2 | 2020-12-01 - 06:03 | almost 5 years |
| 3.1.3 | BSD-3-Clause AND BSD | 2 | 2020-11-02 - 08:12 | about 5 years |
| 3.1.2 | BSD-3-Clause AND BSD | 2 | 2020-10-01 - 05:38 | about 5 years |
| 3.1.1 | BSD-3-Clause AND BSD | 2 | 2020-09-01 - 09:14 | about 5 years |
| 3.1 | BSD-3-Clause AND BSD | 4 | 2020-08-04 - 08:07 | over 5 years |
| 3.0.14 | BSD | 1 | 2021-04-06 - 07:34 | over 4 years |
| 3.0.13 | BSD | 1 | 2021-02-19 - 09:08 | over 4 years |
| 3.0.12 | BSD | 1 | 2021-02-01 - 09:28 | almost 5 years |
| 3.0.11 | BSD | 2 | 2020-11-02 - 08:12 | about 5 years |
| 3.0.10 | BSD | 2 | 2020-09-01 - 09:14 | about 5 years |
| 3.0.9 | BSD | 4 | 2020-08-03 - 07:23 | over 5 years |
| 3.0.8 | BSD | 4 | 2020-07-01 - 04:49 | over 5 years |
| 3.0.7 | BSD | 4 | 2020-06-03 - 09:36 | over 5 years |
| 3.0.6 | BSD | 6 | 2020-05-04 - 05:26 | over 5 years |
| 3.0.5 | BSD | 6 | 2020-04-01 - 07:59 | over 5 years |
| 3.0.4 | BSD | 6 | 2020-03-04 - 09:31 | over 5 years |
| 3.0.3 | BSD | 7 | 2020-02-03 - 09:50 | over 5 years |
| 3.0.2 | BSD | 7 | 2020-01-02 - 07:22 | almost 6 years |
| 3.0.1 | BSD | 7 | 2019-12-18 - 08:59 | almost 6 years |
| 3.0 | BSD | 7 | 2019-12-02 - 11:13 | almost 6 years |
| 2.2.28 | BSD | 2022-04-11 - 07:52 | over 3 years | |
| 2.2.27 | BSD | 2022-02-01 - 07:56 | almost 4 years | |
| 2.2.26 | BSD | 2 | 2022-01-04 - 09:53 | almost 4 years |
| 2.2.25 | BSD | 2 | 2021-12-07 - 07:34 | almost 4 years |
| 2.2.24 | BSD | 2 | 2021-06-02 - 08:53 | over 4 years |
| 2.2.23 | BSD | 4 | 2021-05-13 - 07:36 | over 4 years |