Python/django/3.2.22
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
https://pypi.org/project/django
BSD-3-Clause
AND
BSD
2 Security Vulnerabilities
Django potential denial of service vulnerability in UsernameField on Windows
Published date: 2023-11-02T06:30:25Z
CVE: CVE-2023-46695
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2023-46695
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2023/nov/01/security-releases/
- https://github.com/django/django/commit/048a9ebb6ea468426cb4e57c71572cbbd975517f
- https://github.com/django/django/commit/4965bfdde2e5a5c883685019e57d123a3368a75e
- https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-222.yaml
- https://github.com/advisories/GHSA-qmf9-6jqf-j8fq
- https://groups.google.com/forum/#%21forum/django-announce
- https://security.netapp.com/advisory/ntap-20231214-0001/
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Affected versions:
["4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.1", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.1.8", "4.1.9", "4.1.10", "4.1.11", "4.1.12", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20", "3.2.21", "3.2.22"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
Regular expression denial-of-service in Django
Published date: 2024-03-15T21:30:43Z
CVE: CVE-2024-27351
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2024-27351
- https://docs.djangoproject.com/en/5.0/releases/security
- https://groups.google.com/forum/#%21forum/django-announce
- https://www.djangoproject.com/weblog/2024/mar/04/security-releases
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-47.yaml
- https://github.com/advisories/GHSA-vm8q-m57g-pff3
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D
- http://www.openwall.com/lists/oss-security/2024/03/04/1
- https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521
- https://github.com/django/django/commit/3394fc6132436eca89e997083bae9985fb7e761e
- https://github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4a
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
Affected versions:
["5.0", "5.0.1", "5.0.2", "4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.2.7", "4.2.8", "4.2.9", "4.2.10", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20", "3.2.21", "3.2.22", "3.2.23", "3.2.24"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
400 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 1.8.14 | BSD | 12 | 2016-07-18 - 18:38 | almost 9 years |
| 1.8.13 | BSD | 13 | 2016-05-02 - 22:49 | about 9 years |
| 1.8.12 | BSD | 13 | 2016-04-01 - 17:54 | about 9 years |
| 1.8.11 | BSD | 13 | 2016-03-05 - 18:36 | over 9 years |
| 1.8.10 | BSD | 13 | 2016-03-01 - 17:10 | over 9 years |
| 1.8.9 | BSD | 15 | 2016-02-01 - 17:24 | over 9 years |
| 1.8.8 | BSD | 15 | 2016-01-02 - 14:28 | over 9 years |
| 1.8.7 | BSD | 15 | 2015-11-24 - 17:28 | over 9 years |
| 1.8.6 | BSD | 15 | 2015-11-04 - 17:03 | over 9 years |
| 1.8.5 | BSD | 15 | 2015-10-04 - 00:06 | over 9 years |
| 1.8.4 | BSD | 15 | 2015-08-18 - 17:06 | almost 10 years |
| 1.8.3 | BSD | 16 | 2015-07-08 - 19:43 | almost 10 years |
| 1.8.2 | BSD | 17 | 2015-05-20 - 18:02 | about 10 years |
| 1.8.1 | BSD | 17 | 2015-05-01 - 20:36 | about 10 years |
| 1.8 | BSD | 17 | 2015-04-01 - 20:12 | about 10 years |
| 1.7.11 | BSD | 9 | 2015-11-24 - 17:19 | over 9 years |
| 1.7.10 | BSD | 10 | 2015-08-18 - 17:15 | almost 10 years |
| 1.7.9 | BSD | 11 | 2015-07-08 - 21:33 | almost 10 years |
| 1.7.8 | BSD | 11 | 2015-05-01 - 20:42 | about 10 years |
| 1.7.7 | BSD | 11 | 2015-03-18 - 23:49 | over 10 years |
| 1.7.6 | BSD | 11 | 2015-03-09 - 15:30 | over 10 years |
| 1.7.5 | BSD | 12 | 2015-02-25 - 13:58 | over 10 years |
| 1.7.4 | BSD | 12 | 2015-01-27 - 17:22 | over 10 years |
| 1.7.3 | BSD | 12 | 2015-01-13 - 18:39 | over 10 years |
| 1.7.2 | BSD | 12 | 2015-01-03 - 01:37 | over 10 years |
| 1.7.1 | BSD | 12 | 2014-10-22 - 16:56 | over 10 years |
| 1.7 | BSD | 12 | 2014-09-02 - 21:09 | almost 11 years |
| 1.6.11 | BSD | 10 | 2015-03-18 - 23:57 | over 10 years |
| 1.6.10 | BSD | 10 | 2015-01-13 - 18:48 | over 10 years |
| 1.6.9 | BSD | 10 | 2015-01-03 - 01:52 | over 10 years |
| 1.6.8 | BSD | 10 | 2014-10-22 - 16:50 | over 10 years |
| 1.6.7 | BSD | 10 | 2014-09-02 - 20:55 | almost 11 years |
| 1.6.6 | BSD | 10 | 2014-08-20 - 20:17 | almost 11 years |
| 1.6.5 | BSD | 11 | 2014-05-14 - 18:33 | about 11 years |
| 1.6.4 | BSD | 13 | 2014-04-28 - 20:40 | about 11 years |
| 1.6.3 | BSD | 13 | 2014-04-21 - 23:12 | about 11 years |
| 1.6.2 | BSD | 13 | 2014-02-06 - 21:51 | over 11 years |
| 1.6.1 | BSD | 13 | 2013-12-12 - 20:04 | over 11 years |
| 1.6 | BSD | 13 | 2013-11-06 - 15:01 | over 11 years |
| 1.5.12 | BSD | 10 | 2015-01-03 - 02:09 | over 10 years |
| 1.5.11 | BSD | 10 | 2014-10-22 - 16:45 | over 10 years |
| 1.5.10 | BSD | 10 | 2014-09-02 - 20:51 | almost 11 years |
| 1.5.9 | BSD | 10 | 2014-08-20 - 20:10 | almost 11 years |
| 1.5.8 | BSD | 10 | 2014-05-14 - 18:35 | about 11 years |
| 1.5.7 | BSD | 12 | 2014-04-28 - 20:35 | about 11 years |
| 1.5.6 | BSD | 12 | 2014-04-21 - 22:53 | about 11 years |
| 1.5.5 | BSD | 12 | 2013-10-25 - 04:32 | over 11 years |
| 1.5.4 | BSD | 12 | 2013-09-15 - 06:30 | almost 12 years |
| 1.5.3 | BSD | 13 | 2013-09-11 - 01:26 | almost 12 years |
| 1.5.2 | BSD | 14 | 2013-08-13 - 16:54 | almost 12 years |