Python/django/3.2.20
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
https://pypi.org/project/django
BSD-3-Clause
AND
BSD
4 Security Vulnerabilities
Django Denial of service vulnerability in django.utils.encoding.uri_to_iri
Published date: 2023-11-03T06:36:29Z
CVE: CVE-2023-41164
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2023-41164
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2023/sep/04/security-releases/
- https://github.com/django/django/commit/6f030b1149bd8fa4ba90452e77cb3edc095ce54e
- https://github.com/django/django/commit/9c51b4dcfa0cefcb48231f4d71cafa80821f87b9
- https://github.com/django/django/commit/ba00bc5ec6a7eff5e08be438f7b5b0e9574e8ff0
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-225.yaml
- https://github.com/advisories/GHSA-7h4p-27mh-hmrw
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://security.netapp.com/advisory/ntap-20231214-0002/
- https://docs.djangoproject.com/en/4.2/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU
- https://security.netapp.com/advisory/ntap-20231214-0002
- https://www.djangoproject.com/weblog/2023/sep/04/security-releases
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uritoiri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Affected versions:
["4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.1", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.1.8", "4.1.9", "4.1.10", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
Django Denial-of-service in django.utils.text.Truncator
Published date: 2023-11-03T06:36:30Z
CVE: CVE-2023-43665
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2023-43665
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2023/oct/04/security-releases/
- https://github.com/django/django/commit/be9c27c4d18c2e6a5be8af4e53c0797440794473
- https://github.com/django/django/commit/c7b7024742250414e426ad49fb80db943e7ba4e8
- https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-226.yaml
- https://github.com/advisories/GHSA-h8gc-pgj2-vjm3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://docs.djangoproject.com/en/4.2/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU
- https://security.netapp.com/advisory/ntap-20231221-0001
- https://www.djangoproject.com/weblog/2023/oct/04/security-releases
- http://www.openwall.com/lists/oss-security/2024/03/04/1
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatecharshtml and truncatewordshtml template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
Affected versions:
["4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.1", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.1.8", "4.1.9", "4.1.10", "4.1.11", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20", "3.2.21"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
Django potential denial of service vulnerability in UsernameField on Windows
Published date: 2023-11-02T06:30:25Z
CVE: CVE-2023-46695
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2023-46695
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2023/nov/01/security-releases/
- https://github.com/django/django/commit/048a9ebb6ea468426cb4e57c71572cbbd975517f
- https://github.com/django/django/commit/4965bfdde2e5a5c883685019e57d123a3368a75e
- https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-222.yaml
- https://github.com/advisories/GHSA-qmf9-6jqf-j8fq
- https://groups.google.com/forum/#%21forum/django-announce
- https://security.netapp.com/advisory/ntap-20231214-0001/
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Affected versions:
["4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.1", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.1.8", "4.1.9", "4.1.10", "4.1.11", "4.1.12", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20", "3.2.21", "3.2.22"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
Regular expression denial-of-service in Django
Published date: 2024-03-15T21:30:43Z
CVE: CVE-2024-27351
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2024-27351
- https://docs.djangoproject.com/en/5.0/releases/security
- https://groups.google.com/forum/#%21forum/django-announce
- https://www.djangoproject.com/weblog/2024/mar/04/security-releases
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-47.yaml
- https://github.com/advisories/GHSA-vm8q-m57g-pff3
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D
- http://www.openwall.com/lists/oss-security/2024/03/04/1
- https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521
- https://github.com/django/django/commit/3394fc6132436eca89e997083bae9985fb7e761e
- https://github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4a
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
Affected versions:
["5.0", "5.0.1", "5.0.2", "4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.2.7", "4.2.8", "4.2.9", "4.2.10", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20", "3.2.21", "3.2.22", "3.2.23", "3.2.24"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
400 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 2.2a1 | BSD | 3 | 2019-01-17 - 15:35 | over 6 years |
| 2.2b1 | BSD | 3 | 2019-02-11 - 10:33 | over 6 years |
| 3.0rc1 | BSD | 1 | 2019-11-18 - 08:51 | over 5 years |
| 3.1b1 | BSD-3-Clause AND BSD | 2 | 2020-06-15 - 08:15 | about 5 years |
| 3.2b1 | BSD-3-Clause AND BSD | 1 | 2021-02-19 - 09:35 | over 4 years |
| 1.11rc1 | BSD | 24 | 2017-03-21 - 22:55 | over 8 years |
| 4.0a1 | BSD-3-Clause AND BSD | 1 | 2021-09-21 - 19:08 | almost 4 years |
| 4.0b1 | BSD-3-Clause AND BSD | 1 | 2021-10-25 - 09:23 | over 3 years |
| 1.10b1 | BSD | 25 | 2016-06-22 - 01:15 | about 9 years |
| 4.0rc1 | BSD-3-Clause AND BSD | 1 | 2021-11-22 - 06:37 | over 3 years |
| 4.1a1 | BSD-3-Clause AND BSD | 2 | 2022-05-18 - 05:54 | about 3 years |
| 4.1b1 | BSD-3-Clause AND BSD | 2 | 2022-06-21 - 09:20 | about 3 years |
| 4.1rc1 | BSD-3-Clause AND BSD | 2 | 1970-01-01 - 00:00 | over 55 years |
| 4.2a1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 4.2b1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 4.2rc1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 1.8b2 | BSD | 6 | 2015-03-09 - 15:55 | over 10 years |
| 5.0a1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 5.0b1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 5.0rc1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 1.11a1 | BSD | 25 | 2017-01-18 - 01:01 | over 8 years |
| 1.11b1 | BSD | 25 | 2017-02-20 - 23:21 | over 8 years |
| 5.1a1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 2.1a1 | BSD | 3 | 2018-05-18 - 01:01 | about 7 years |
| 5.1b1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 5.1rc1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 3.1a1 | BSD-3-Clause AND BSD | 1 | 2020-05-14 - 09:41 | about 5 years |
| 5.2a1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 1.8a1 | BSD | 6 | 2015-01-16 - 22:25 | over 10 years |
| 3.1rc1 | BSD-3-Clause AND BSD | 2 | 2020-07-20 - 06:38 | almost 5 years |
| 5.2b1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 5.2rc1 | BSD-3-Clause AND BSD | 1970-01-01 - 00:00 | over 55 years | |
| 1.8b1 | BSD | 7 | 2015-02-25 - 13:42 | over 10 years |
| 1.8c1 | BSD | 5 | 2015-03-18 - 23:39 | over 10 years |
| 1.9rc1 | BSD | 3 | 2015-11-16 - 21:10 | over 9 years |
| 2.0b1 | BSD | 2 | 2017-10-17 - 02:00 | over 7 years |
| 1.9b1 | BSD | 3 | 2015-10-20 - 01:17 | over 9 years |
| 3.0b1 | BSD | 1 | 2019-10-14 - 10:21 | over 5 years |
| 3.2a1 | BSD-3-Clause AND BSD | 1 | 2021-01-19 - 13:04 | over 4 years |
| 1.9rc2 | BSD | 2 | 2015-11-24 - 17:35 | over 9 years |
| 2.0rc1 | BSD | 2 | 2017-11-15 - 23:51 | over 7 years |
| 2.1b1 | BSD | 3 | 2018-06-18 - 23:55 | about 7 years |
| 3.2rc1 | BSD-3-Clause AND BSD | 1 | 2021-03-18 - 13:55 | over 4 years |
| 2.2rc1 | BSD | 3 | 2019-03-18 - 08:57 | over 6 years |
| 1.10rc1 | BSD | 24 | 2016-07-18 - 18:04 | almost 9 years |
| 3.0a1 | BSD | 2019-09-10 - 09:19 | almost 6 years | |
| 1.10a1 | BSD | 25 | 2016-05-20 - 12:16 | about 9 years |
| 1.9a1 | BSD | 3 | 2015-09-24 - 00:20 | almost 10 years |
| 2.0a1 | BSD | 2 | 2017-09-22 - 18:09 | almost 8 years |
| 2.1rc1 | BSD | 3 | 2018-07-18 - 17:35 | almost 7 years |