Python/django/3.0.9

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

https://pypi.org/project/django
BSD

6 Security Vulnerabilities

Path Traversal in Django

Published date: 2021-06-10T17:21:00Z
CVE: CVE-2021-33203
Links:

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.

Affected versions: ["3.2", "3.2.1", "3.2.2", "3.2.3", "3.0", "3.0.1", "3.0.10", "3.0.11", "3.0.12", "3.0.13", "3.0.14", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.1", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "3.1.6", "3.1.7", "3.1.8", "3.1a1", "3.1b1", "3.1rc1", "3.1.9", "3.1.10", "3.1.11", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.10", "1.10.1", "1.10.2", "1.10.3", "1.10.4", "1.10.5", "1.10.6", "1.10.7", "1.10.8", "1.10a1", "1.10b1", "1.10rc1", "1.11", "1.11.1", "1.11.10", "1.11.11", "1.11.12", "1.11.13", "1.11.14", "1.11.15", "1.11.16", "1.11.17", "1.11.18", "1.11.2", "1.11.20", "1.11.21", "1.11.22", "1.11.23", "1.11.24", "1.11.25", "1.11.26", "1.11.27", "1.11.28", "1.11.29", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.11.8", "1.11.9", "1.11a1", "1.11b1", "1.11rc1", "1.2", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.3", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.3.7", "1.4", "1.4.1", "1.4.10", "1.4.11", "1.4.12", "1.4.13", "1.4.14", "1.4.15", "1.4.16", "1.4.17", "1.4.18", "1.4.19", "1.4.2", "1.4.20", "1.4.21", "1.4.22", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.9", "1.5", "1.5.1", "1.5.10", "1.5.11", "1.5.12", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "1.6", "1.6.1", "1.6.10", "1.6.11", "1.6.2", "1.6.3", "1.6.4", "1.6.5", "1.6.6", "1.6.7", "1.6.8", "1.6.9", "1.7", "1.7.1", "1.7.10", "1.7.11", "1.7.2", "1.7.3", "1.7.4", "1.7.5", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8", "1.8.1", "1.8.10", "1.8.11", "1.8.12", "1.8.13", "1.8.14", "1.8.15", "1.8.16", "1.8.17", "1.8.18", "1.8.19", "1.8.2", "1.8.3", "1.8.4", "1.8.5", "1.8.6", "1.8.7", "1.8.8", "1.8.9", "1.8a1", "1.8b1", "1.8b2", "1.8c1", "1.9", "1.9.1", "1.9.10", "1.9.11", "1.9.12", "1.9.13", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.9.8", "1.9.9", "1.9a1", "1.9b1", "1.9rc1", "1.9rc2", "2.0", "2.0.1", "2.0.10", "2.0.12", "2.0.13", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.0a1", "2.0b1", "2.0rc1", "2.1", "2.1.1", "2.1.10", "2.1.11", "2.1.12", "2.1.13", "2.1.14", "2.1.15", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.7", "2.1.8", "2.1.9", "2.1a1", "2.1b1", "2.1rc1", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2a1", "2.2b1", "2.2rc1", "2.2.21", "2.2.22", "2.2.23"]
Secure versions: [4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5]
Recommendation: Update to version 5.0.6.

Django Incorrect Default Permissions

Published date: 2021-03-18T20:30:01Z
CVE: CVE-2020-24584
Links:

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.

Affected versions: ["3.1", "3.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9"]
Secure versions: [4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5]
Recommendation: Update to version 5.0.6.

Django Directory Traversal via archive.extract

Published date: 2021-03-18T20:29:49Z
CVE: CVE-2021-3281
Links:

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by startapp --template and startproject --template) allows directory traversal via an archive with absolute paths or relative paths with dot segments.

Affected versions: ["3.0", "3.0.1", "3.0.10", "3.0.11", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.1", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9"]
Secure versions: [4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5]
Recommendation: Update to version 5.0.6.

Django Incorrect Default Permissions

Published date: 2021-03-18T20:30:13Z
CVE: CVE-2020-24583
Links:

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILEUPLOADDIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.

Affected versions: ["3.1", "3.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9"]
Secure versions: [4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5]
Recommendation: Update to version 5.0.6.

Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks

Published date: 2021-06-10T17:21:12Z
CVE: CVE-2021-33571
Links:

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validateipv4address, and validateipv46address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validateipv4address and validateipv46address are unaffected with Python 3.9.5+..) .

Affected versions: ["3.2", "3.2.1", "3.2.2", "3.2.3", "3.0", "3.0.1", "3.0.10", "3.0.11", "3.0.12", "3.0.13", "3.0.14", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.1", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "3.1.6", "3.1.7", "3.1.8", "3.1a1", "3.1b1", "3.1rc1", "3.1.9", "3.1.10", "3.1.11", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2.21", "2.2.22", "2.2.23"]
Secure versions: [4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5]
Recommendation: Update to version 5.0.6.

Django denial-of-service attack in the intcomma template filter

Published date: 2024-02-07T00:30:25Z
CVE: CVE-2024-24680
Links:

An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.

Affected versions: ["5.0", "5.0.1", "4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.2.7", "4.2.8", "4.2.9", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.10", "1.10.1", "1.10.2", "1.10.3", "1.10.4", "1.10.5", "1.10.6", "1.10.7", "1.10.8", "1.10a1", "1.10b1", "1.10rc1", "1.11", "1.11.1", "1.11.10", "1.11.11", "1.11.12", "1.11.13", "1.11.14", "1.11.15", "1.11.16", "1.11.17", "1.11.18", "1.11.2", "1.11.20", "1.11.21", "1.11.22", "1.11.23", "1.11.24", "1.11.25", "1.11.26", "1.11.27", "1.11.28", "1.11.29", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.11.8", "1.11.9", "1.11a1", "1.11b1", "1.11rc1", "1.2", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.3", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.3.7", "1.4", "1.4.1", "1.4.10", "1.4.11", "1.4.12", "1.4.13", "1.4.14", "1.4.15", "1.4.16", "1.4.17", "1.4.18", "1.4.19", "1.4.2", "1.4.20", "1.4.21", "1.4.22", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.9", "1.5", "1.5.1", "1.5.10", "1.5.11", "1.5.12", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "1.6", "1.6.1", "1.6.10", "1.6.11", "1.6.2", "1.6.3", "1.6.4", "1.6.5", "1.6.6", "1.6.7", "1.6.8", "1.6.9", "1.7", "1.7.1", "1.7.10", "1.7.11", "1.7.2", "1.7.3", "1.7.4", "1.7.5", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8", "1.8.1", "1.8.10", "1.8.11", "1.8.12", "1.8.13", "1.8.14", "1.8.15", "1.8.16", "1.8.17", "1.8.18", "1.8.19", "1.8.2", "1.8.3", "1.8.4", "1.8.5", "1.8.6", "1.8.7", "1.8.8", "1.8.9", "1.8a1", "1.8b1", "1.8b2", "1.8c1", "1.9", "1.9.1", "1.9.10", "1.9.11", "1.9.12", "1.9.13", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.9.8", "1.9.9", "1.9a1", "1.9b1", "1.9rc1", "1.9rc2", "2.0", "2.0.1", "2.0.10", "2.0.12", "2.0.13", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.0a1", "2.0b1", "2.0rc1", "2.1", "2.1.1", "2.1.10", "2.1.11", "2.1.12", "2.1.13", "2.1.14", "2.1.15", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.7", "2.1.8", "2.1.9", "2.1a1", "2.1b1", "2.1rc1", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2a1", "2.2b1", "2.2rc1", "3.0", "3.0.1", "3.0.10", "3.0.11", "3.0.12", "3.0.13", "3.0.14", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.0a1", "3.0b1", "3.0rc1", "3.1", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "3.1.6", "3.1.7", "3.1.8", "3.1a1", "3.1b1", "3.1rc1", "3.2", "3.2a1", "3.2b1", "3.2rc1", "2.2.21", "3.1.9", "3.2.1", "2.2.22", "3.1.10", "3.2.2", "2.2.23", "3.1.11", "3.2.3", "2.2.24", "3.1.12", "3.2.4", "3.1.13", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "2.2.25", "3.1.14", "3.2.10", "2.2.26", "3.2.11", "2.2.27", "3.2.12", "2.2.28", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20", "3.2.21", "3.2.22", "3.2.23"]
Secure versions: [4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5]
Recommendation: Update to version 5.0.6.

358 Other Versions

Version License Security Released
1.2.4 BSD 30 2010-12-23 - 05:15 over 13 years
1.2.3 BSD 32 2010-09-11 - 08:50 over 13 years
1.2.2 BSD 32 2010-09-09 - 02:41 over 13 years
1.2.1 BSD 33 2010-05-24 - 21:19 almost 14 years
1.2 BSD 33 2010-05-17 - 20:04 almost 14 years
1.1.4 BSD 25 2011-02-09 - 04:13 about 13 years
1.1.3 BSD 28 2010-12-23 - 05:14 over 13 years
1.1.2 BSD 30
1.1.1 BSD 30
1.1 BSD 30
1.0.4 BSD 27
1.0.3 BSD 27
1.0.2 BSD 27
1.0.1 BSD 27
4.0b1 BSD-3-Clause AND BSD 1 2021-10-25 - 09:23 over 2 years
4.0a1 BSD-3-Clause AND BSD 1 2021-09-21 - 19:08 over 2 years
4.0rc1 BSD-3-Clause AND BSD 1 2021-11-22 - 06:37 over 2 years
3.2rc1 BSD-3-Clause AND BSD 2 2021-03-18 - 13:55 about 3 years
3.2a1 BSD-3-Clause AND BSD 2 2021-01-19 - 13:04 over 3 years
3.2b1 BSD-3-Clause AND BSD 2 2021-02-19 - 09:35 about 3 years
3.1a1 BSD-3-Clause AND BSD 3 2020-05-14 - 09:41 almost 4 years
3.1b1 BSD-3-Clause AND BSD 4 2020-06-15 - 08:15 almost 4 years
3.0b1 BSD 2 2019-10-14 - 10:21 over 4 years
3.0a1 BSD 1 2019-09-10 - 09:19 over 4 years
3.0rc1 BSD 2 2019-11-18 - 08:51 over 4 years
3.1rc1 BSD-3-Clause AND BSD 4 2020-07-20 - 06:38 almost 4 years
2.2rc1 BSD 6 2019-03-18 - 08:57 about 5 years
2.2b1 BSD 6 2019-02-11 - 10:33 about 5 years
2.2a1 BSD 6 2019-01-17 - 15:35 over 5 years
2.1b1 BSD 6 2018-06-18 - 23:55 almost 6 years
2.1a1 BSD 6 2018-05-18 - 01:01 almost 6 years
2.1rc1 BSD 6 2018-07-18 - 17:35 almost 6 years
2.0rc1 BSD 3 2017-11-15 - 23:51 over 6 years
2.0a1 BSD 3 2017-09-22 - 18:09 over 6 years
2.0b1 BSD 3 2017-10-17 - 02:00 over 6 years
1.9rc2 BSD 3 2015-11-24 - 17:35 over 8 years
1.9b1 BSD 4 2015-10-20 - 01:17 over 8 years
1.9a1 BSD 4 2015-09-24 - 00:20 over 8 years
1.9rc1 BSD 4 2015-11-16 - 21:10 over 8 years
1.8b2 BSD 7 2015-03-09 - 15:55 about 9 years
1.8b1 BSD 8 2015-02-25 - 13:42 about 9 years
1.8c1 BSD 6 2015-03-18 - 23:39 about 9 years
1.8a1 BSD 7 2015-01-16 - 22:25 over 9 years
1.11b1 BSD 26 2017-02-20 - 23:21 about 7 years
1.11a1 BSD 26 2017-01-18 - 01:01 over 7 years
1.11rc1 BSD 25 2017-03-21 - 22:55 about 7 years
1.10rc1 BSD 25 2016-07-18 - 18:04 almost 8 years
1.10a1 BSD 26 2016-05-20 - 12:16 almost 8 years
1.10b1 BSD 26 2016-06-22 - 01:15 almost 8 years
4.2rc1 BSD-3-Clause AND BSD
5.0b1 BSD-3-Clause AND BSD
5.0rc1 BSD-3-Clause AND BSD
5.0a1 BSD-3-Clause AND BSD
4.2b1 BSD-3-Clause AND BSD
4.2a1 BSD-3-Clause AND BSD
4.1rc1 BSD-3-Clause AND BSD 2
4.1a1 BSD-3-Clause AND BSD 2 2022-05-18 - 05:54 almost 2 years
4.1b1 BSD-3-Clause AND BSD 2 2022-06-21 - 09:20 almost 2 years