Python/django/4.0.2
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
https://pypi.org/project/django
BSD-3-Clause
AND
BSD
4 Security Vulnerabilities
Django has regular expression denial of service vulnerability in EmailValidator/URLValidator
- https://nvd.nist.gov/vuln/detail/CVE-2023-36053
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2023/jul/03/security-releases/
- https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582
- https://github.com/django/django/commit/ad0410ec4f458aa39803e5f6b9a3736527062dcd
- https://github.com/django/django/commit/b7c5feb35a31799de6e582ad6a5a91a9de74e0f9
- https://github.com/django/django/commit/beb3f3d55940d9aa7198bf9d424ab74e873aec3d
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-100.yaml
- https://github.com/advisories/GHSA-jh3w-4vvf-mjgr
- https://lists.debian.org/debian-lts-announce/2023/07/msg00022.html
- https://www.debian.org/security/2023/dsa-5465
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS/
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator
and URLValidator
are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection
- https://nvd.nist.gov/vuln/detail/CVE-2022-34265
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-213.yaml
- https://github.com/advisories/GHSA-p64x-8rxx-wf6q
- https://github.com/django/django/commit/5e2f4ddf2940704a26a4ac782b851989668d74db
- https://github.com/django/django/commit/877c800f255ccaa7abde1fb944de45d1616f5cc9
- https://security.netapp.com/advisory/ntap-20220818-0006/
- https://www.debian.org/security/2022/dsa-5254
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
- https://github.com/django/django/commit/0dc9c016fadb71a067e5a42be30164e3f96c0492
- https://github.com/django/django/commit/a9010fe5555e6086a9d9ae50069579400ef0685e
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc()
and Extract()
database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
Django contains Uncontrolled Resource Consumption via cached header
- https://nvd.nist.gov/vuln/detail/CVE-2023-23969
- https://docs.djangoproject.com/en/4.1/releases/security/
- https://www.djangoproject.com/weblog/2023/feb/01/security-releases/
- https://lists.debian.org/debian-lts-announce/2023/02/msg00000.html
- https://github.com/advisories/GHSA-q2jf-h9jm-m7p4
- https://groups.google.com/forum/#!forum/django-announce
- https://security.netapp.com/advisory/ntap-20230302-0007/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
- https://github.com/django/django/commit/4452642f193533e288a52c02efb5bbc766a68f95
- https://github.com/django/django/commit/9d7bd5a56b1ce0576e8e07a8001373576d277942
- https://github.com/django/django/commit/c7e0151fdf33e1b11d488b6f67b94fdf3a30614a
- https://docs.djangoproject.com/en/4.1/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI
- https://security.netapp.com/advisory/ntap-20230302-0007
- https://www.djangoproject.com/weblog/2023/feb/01/security-releases
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
Django denial-of-service vulnerability in internationalized URLs
- https://nvd.nist.gov/vuln/detail/CVE-2022-41323
- https://github.com/django/django/commit/5b6b257fa7ec37ff27965358800c67e2dd11c924
- https://www.djangoproject.com/weblog/2022/oct/04/security-releases/
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-304.yaml
- https://github.com/advisories/GHSA-qrw5-5h28-6cmg
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://security.netapp.com/advisory/ntap-20221124-0001/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
- https://github.com/django/django/commit/23f0093125ac2e553da6c1b2f9988eb6a3dd2ea1
- https://github.com/django/django/commit/9d656ea51d9ea7105c0c0785783ac29d426a7d25
- https://docs.djangoproject.com/en/4.0/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP
- https://security.netapp.com/advisory/ntap-20221124-0001
- https://www.djangoproject.com/weblog/2022/oct/04/security-releases
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
371 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
4.2.9 | BSD-3-Clause AND BSD | 2 | ||
4.2.7 | BSD-3-Clause AND BSD | 2 | ||
4.2.8 | BSD-3-Clause AND BSD | 2 | ||
5.0 | BSD-3-Clause AND BSD | 2 | ||
3.2.23 | BSD-3-Clause AND BSD | 2 | ||
5.0.1 | BSD-3-Clause AND BSD | 2 | ||
3.1.13 | BSD-3-Clause AND BSD | 1 | 2021-07-01 - 07:39 | about 3 years |
3.1.12 | BSD-3-Clause AND BSD | 1 | 2021-06-02 - 08:53 | over 3 years |
2.2.28 | BSD | 1 | 2022-04-11 - 07:52 | over 2 years |
2.2.27 | BSD | 1 | 2022-02-01 - 07:56 | over 2 years |
3.0a1 | BSD | 1 | 2019-09-10 - 09:19 | about 5 years |
3.1.14 | BSD-3-Clause AND BSD | 1 | 2021-12-07 - 07:34 | almost 3 years |
2.2.11 | BSD | 10 | 2020-03-04 - 09:31 | over 4 years |
2.2.12 | BSD | 10 | 2020-04-01 - 07:59 | over 4 years |
3.0.4 | BSD | 8 | 2020-03-04 - 09:31 | over 4 years |
3.0.5 | BSD | 8 | 2020-04-01 - 07:59 | over 4 years |
3.0.6 | BSD | 8 | 2020-05-04 - 05:26 | over 4 years |
2.0.10 | BSD | 7 | 2019-01-04 - 14:03 | over 5 years |
1.11.18 | BSD | 12 | 2019-01-04 - 14:10 | over 5 years |
2.1.5 | BSD | 14 | 2019-01-04 - 13:52 | over 5 years |
5.0.2 | BSD-3-Clause AND BSD | 1 | ||
3.2.24 | BSD-3-Clause AND BSD | 1 | ||
4.2.10 | BSD-3-Clause AND BSD | 1 | ||
2.1.15 | BSD | 5 | 2019-12-02 - 08:57 | almost 5 years |
2.2b1 | BSD | 6 | 2019-02-11 - 10:33 | over 5 years |
2.1rc1 | BSD | 6 | 2018-07-18 - 17:35 | about 6 years |
2.0.13 | BSD | 6 | 2019-02-12 - 10:50 | over 5 years |
2.2a1 | BSD | 6 | 2019-01-17 - 15:35 | over 5 years |
2.1a1 | BSD | 6 | 2018-05-18 - 01:01 | over 6 years |
2.2rc1 | BSD | 6 | 2019-03-18 - 08:57 | over 5 years |
2.1b1 | BSD | 6 | 2018-06-18 - 23:55 | over 6 years |
2.0.12 | BSD | 6 | 2019-02-11 - 15:10 | over 5 years |
2.2.8 | BSD | 13 | 2019-12-02 - 08:57 | almost 5 years |
3.0 | BSD | 11 | 2019-12-02 - 11:13 | almost 5 years |
1.11.26 | BSD | 5 | 2019-11-04 - 08:33 | almost 5 years |
1.11.23 | BSD | 5 | 2019-08-01 - 09:04 | about 5 years |
1.11.25 | BSD | 5 | 2019-10-01 - 08:36 | almost 5 years |
1.11.24 | BSD | 5 | 2019-09-02 - 07:18 | about 5 years |
3.2.14 | BSD-3-Clause AND BSD | 8 | 2022-07-04 - 07:57 | about 2 years |
3.2.15 | BSD-3-Clause AND BSD | 8 | ||
4.1.1 | BSD-3-Clause AND BSD | 6 | ||
4.1 | BSD-3-Clause AND BSD | 6 | ||
4.0.7 | BSD-3-Clause AND BSD | 3 | ||
4.0.6 | BSD-3-Clause AND BSD | 3 | 2022-07-04 - 07:57 | about 2 years |
4.2.6 | BSD-3-Clause AND BSD | 3 | ||
3.2.22 | BSD-3-Clause AND BSD | 3 | ||
3.2.21 | BSD-3-Clause AND BSD | 4 | ||
4.2.5 | BSD-3-Clause AND BSD | 4 | ||
4.1.11 | BSD-3-Clause AND BSD | 2 | ||
3.2.20 | BSD-3-Clause AND BSD | 5 | ||
4.2.4 | BSD-3-Clause AND BSD | 5 | ||
4.2.3 | BSD-3-Clause AND BSD | 5 | ||
4.1.10 | BSD-3-Clause AND BSD | 3 | ||
4.1.12 | BSD-3-Clause AND BSD | 1 | ||
3.0b1 | BSD | 2 | 2019-10-14 - 10:21 | almost 5 years |
3.0rc1 | BSD | 2 | 2019-11-18 - 08:51 | almost 5 years |
3.2a1 | BSD-3-Clause AND BSD | 2 | 2021-01-19 - 13:04 | over 3 years |
3.2rc1 | BSD-3-Clause AND BSD | 2 | 2021-03-18 - 13:55 | over 3 years |
3.2b1 | BSD-3-Clause AND BSD | 2 | 2021-02-19 - 09:35 | over 3 years |
3.2.16 | BSD-3-Clause AND BSD | 7 | ||
4.1.2 | BSD-3-Clause AND BSD | 5 | ||
4.1.5 | BSD-3-Clause AND BSD | 5 | ||
4.1.3 | BSD-3-Clause AND BSD | 5 | ||
4.1.4 | BSD-3-Clause AND BSD | 5 | ||
4.0.8 | BSD-3-Clause AND BSD | 2 | ||
4.1rc1 | BSD-3-Clause AND BSD | 2 | ||
4.1b1 | BSD-3-Clause AND BSD | 2 | 2022-06-21 - 09:20 | over 2 years |
4.1a1 | BSD-3-Clause AND BSD | 2 | 2022-05-18 - 05:54 | over 2 years |
4.0b1 | BSD-3-Clause AND BSD | 1 | 2021-10-25 - 09:23 | almost 3 years |
4.0rc1 | BSD-3-Clause AND BSD | 1 | 2021-11-22 - 06:37 | almost 3 years |
4.0a1 | BSD-3-Clause AND BSD | 1 | 2021-09-21 - 19:08 | almost 3 years |
3.2.12 | BSD-3-Clause AND BSD | 9 | 2022-02-01 - 07:56 | over 2 years |
3.2.13 | BSD-3-Clause AND BSD | 9 | 2022-04-11 - 07:52 | over 2 years |
4.0.4 | BSD-3-Clause AND BSD | 4 | 2022-04-11 - 07:53 | over 2 years |
4.0.3 | BSD-3-Clause AND BSD | 4 | 2022-03-01 - 08:47 | over 2 years |
4.0.5 | BSD-3-Clause AND BSD | 4 | 2022-06-01 - 12:22 | over 2 years |
4.0.2 | BSD-3-Clause AND BSD | 4 | 2022-02-01 - 07:56 | over 2 years |
4.2 | BSD-3-Clause AND BSD | 6 | ||
3.2.17 | BSD-3-Clause AND BSD | 6 | ||
3.2.18 | BSD-3-Clause AND BSD | 6 | ||
4.2.2 | BSD-3-Clause AND BSD | 6 | ||
4.2.1 | BSD-3-Clause AND BSD | 6 | ||
3.2.19 | BSD-3-Clause AND BSD | 6 | ||
4.1.8 | BSD-3-Clause AND BSD | 4 | ||
4.1.7 | BSD-3-Clause AND BSD | 4 | ||
4.1.6 | BSD-3-Clause AND BSD | 4 | ||
4.1.9 | BSD-3-Clause AND BSD | 4 | ||
4.0.9 | BSD-3-Clause AND BSD | 1 | ||
4.0.10 | BSD-3-Clause AND BSD | 1 | ||
2.1.12 | BSD | 6 | 2019-09-02 - 07:18 | about 5 years |
2.1.14 | BSD | 6 | 2019-11-04 - 08:33 | almost 5 years |
2.1.13 | BSD | 6 | 2019-10-01 - 08:36 | almost 5 years |
2.1.11 | BSD | 6 | 2019-08-01 - 09:04 | about 5 years |
2.2.7 | BSD | 14 | 2019-11-04 - 08:33 | almost 5 years |
2.2.4 | BSD | 14 | 2019-08-01 - 09:04 | about 5 years |
2.2.5 | BSD | 14 | 2019-09-02 - 07:18 | about 5 years |
2.2.6 | BSD | 14 | 2019-10-01 - 08:36 | almost 5 years |
2.2.9 | BSD | 12 | 2019-12-18 - 08:59 | almost 5 years |
3.0.2 | BSD | 10 | 2020-01-02 - 07:22 | over 4 years |
3.0.1 | BSD | 10 | 2019-12-18 - 08:59 | almost 5 years |