Python/django/3.1.1
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
https://pypi.org/project/django
BSD-3-Clause
AND
BSD
2 Security Vulnerabilities
Django Directory Traversal via archive.extract
Published date: 2021-03-18T20:29:49Z
CVE: CVE-2021-3281
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3281
- https://github.com/advisories/GHSA-fvgf-6h6h-3322
- https://github.com/django/django/commit/05413afa8c18cdb978fcdf470e09f7a12b234a23
- https://docs.djangoproject.com/en/3.1/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/
- https://security.netapp.com/advisory/ntap-20210226-0004/
- https://www.djangoproject.com/weblog/2021/feb/01/security-releases/
- https://docs.djangoproject.com/en/3.1/releases/3.0.12/
- https://github.com/django/django/commit/02e6592835b4559909aa3aaaf67988fef435f624
- https://github.com/django/django/commit/21e7622dec1f8612c85c2fc37fe8efbfd3311e37
- https://github.com/django/django/commit/52e409ed17287e9aabda847b6afe58be2fa9f86a
- https://docs.djangoproject.com/en/3.1/releases/3.0.12
- https://docs.djangoproject.com/en/3.1/releases/security
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-9.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO
- https://security.netapp.com/advisory/ntap-20210226-0004
- https://www.djangoproject.com/weblog/2021/feb/01/security-releases
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by startapp --template
and startproject --template
) allows directory traversal via an archive with absolute paths or relative paths with dot segments.
Affected versions:
["3.0.1", "3.0.10", "3.0.11", "3.0.3", "3.0.4", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.0", "3.0.2", "3.0.5", "3.1", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "2.2.12", "2.2.17", "2.2.9", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks
Published date: 2021-06-10T17:21:12Z
CVE: CVE-2021-33571
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-33571
- https://github.com/advisories/GHSA-p99v-5w3c-jqq9
- https://docs.djangoproject.com/en/3.2/releases/security/
- https://groups.google.com/g/django-announce/c/sPyjSKMi8Eo
- https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
- https://security.netapp.com/advisory/ntap-20210727-0004/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
- https://github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118e
- https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d
- https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validateipv4address, and validateipv46address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validateipv4address and validateipv46address are unaffected with Python 3.9.5+..) .
Affected versions:
["3.2", "3.2.1", "3.2.2", "3.2.3", "3.0", "3.0.1", "3.0.10", "3.0.11", "3.0.12", "3.0.13", "3.0.14", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.1", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "3.1.6", "3.1.7", "3.1.8", "3.1a1", "3.1b1", "3.1rc1", "3.1.9", "3.1.10", "3.1.11", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2.21", "2.2.22", "2.2.23"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
400 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 2.2a1 | BSD | 3 | 2019-01-17 - 15:35 | over 6 years |
| 2.2b1 | BSD | 3 | 2019-02-11 - 10:33 | over 6 years |
| 3.0rc1 | BSD | 1 | 2019-11-18 - 08:51 | over 5 years |
| 3.1b1 | BSD-3-Clause AND BSD | 2 | 2020-06-15 - 08:15 | about 5 years |
| 3.2b1 | BSD-3-Clause AND BSD | 1 | 2021-02-19 - 09:35 | over 4 years |
| 1.11rc1 | BSD | 24 | 2017-03-21 - 22:55 | over 8 years |
| 4.0a1 | BSD-3-Clause AND BSD | 1 | 2021-09-21 - 19:08 | almost 4 years |
| 4.0b1 | BSD-3-Clause AND BSD | 1 | 2021-10-25 - 09:23 | over 3 years |
| 1.10b1 | BSD | 25 | 2016-06-22 - 01:15 | about 9 years |
| 4.0rc1 | BSD-3-Clause AND BSD | 1 | 2021-11-22 - 06:37 | over 3 years |
| 4.1a1 | BSD-3-Clause AND BSD | 2 | 2022-05-18 - 05:54 | about 3 years |
| 4.1b1 | BSD-3-Clause AND BSD | 2 | 2022-06-21 - 09:20 | about 3 years |
| 4.1rc1 | BSD-3-Clause AND BSD | 2 | 1970-01-01 - 00:00 | over 55 years |
| 4.2a1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 4.2b1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 4.2rc1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 1.8b2 | BSD | 6 | 2015-03-09 - 15:55 | over 10 years |
| 5.0a1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 5.0b1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 5.0rc1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 1.11a1 | BSD | 25 | 2017-01-18 - 01:01 | over 8 years |
| 1.11b1 | BSD | 25 | 2017-02-20 - 23:21 | over 8 years |
| 5.1a1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 2.1a1 | BSD | 3 | 2018-05-18 - 01:01 | about 7 years |
| 5.1b1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 5.1rc1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 3.1a1 | BSD-3-Clause AND BSD | 1 | 2020-05-14 - 09:41 | about 5 years |
| 5.2a1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 1.8a1 | BSD | 6 | 2015-01-16 - 22:25 | over 10 years |
| 3.1rc1 | BSD-3-Clause AND BSD | 2 | 2020-07-20 - 06:38 | almost 5 years |
| 5.2b1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 5.2rc1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 1.8b1 | BSD | 7 | 2015-02-25 - 13:42 | over 10 years |
| 1.8c1 | BSD | 5 | 2015-03-18 - 23:39 | over 10 years |
| 1.9rc1 | BSD | 3 | 2015-11-16 - 21:10 | over 9 years |
| 2.0b1 | BSD | 2 | 2017-10-17 - 02:00 | over 7 years |
| 1.9b1 | BSD | 3 | 2015-10-20 - 01:17 | over 9 years |
| 3.0b1 | BSD | 1 | 2019-10-14 - 10:21 | over 5 years |
| 3.2a1 | BSD-3-Clause AND BSD | 1 | 2021-01-19 - 13:04 | over 4 years |
| 1.9rc2 | BSD | 2 | 2015-11-24 - 17:35 | over 9 years |
| 2.0rc1 | BSD | 2 | 2017-11-15 - 23:51 | over 7 years |
| 2.1b1 | BSD | 3 | 2018-06-18 - 23:55 | about 7 years |
| 3.2rc1 | BSD-3-Clause AND BSD | 1 | 2021-03-18 - 13:55 | over 4 years |
| 2.2rc1 | BSD | 3 | 2019-03-18 - 08:57 | over 6 years |
| 1.10rc1 | BSD | 24 | 2016-07-18 - 18:04 | almost 9 years |
| 3.0a1 | BSD | 2019-09-10 - 09:19 | almost 6 years | |
| 1.10a1 | BSD | 25 | 2016-05-20 - 12:16 | about 9 years |
| 1.9a1 | BSD | 3 | 2015-09-24 - 00:20 | almost 10 years |
| 2.0a1 | BSD | 2 | 2017-09-22 - 18:09 | almost 8 years |
| 2.1rc1 | BSD | 3 | 2018-07-18 - 17:35 | almost 7 years |