Python/django/4.0.7
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
https://pypi.org/project/django
BSD-3-Clause
AND
BSD
3 Security Vulnerabilities
Django has regular expression denial of service vulnerability in EmailValidator/URLValidator
Published date: 2023-07-03T15:30:45Z
CVE: CVE-2023-36053
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2023-36053
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2023/jul/03/security-releases/
- https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582
- https://github.com/django/django/commit/ad0410ec4f458aa39803e5f6b9a3736527062dcd
- https://github.com/django/django/commit/b7c5feb35a31799de6e582ad6a5a91a9de74e0f9
- https://github.com/django/django/commit/beb3f3d55940d9aa7198bf9d424ab74e873aec3d
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-100.yaml
- https://github.com/advisories/GHSA-jh3w-4vvf-mjgr
- https://lists.debian.org/debian-lts-announce/2023/07/msg00022.html
- https://www.debian.org/security/2023/dsa-5465
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS/
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
Affected versions:
["3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "4.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.1a1", "4.0.5", "4.1b1", "4.0.6", "4.1rc1", "4.0.7", "4.1", "4.1.1", "4.0.8", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.0.9", "4.1.6", "4.0.10", "4.1.7", "4.1.8", "4.1.9", "4.2", "4.2.1", "4.2.2"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
Django contains Uncontrolled Resource Consumption via cached header
Published date: 2023-02-01T21:30:23Z
CVE: CVE-2023-23969
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2023-23969
- https://docs.djangoproject.com/en/4.1/releases/security/
- https://www.djangoproject.com/weblog/2023/feb/01/security-releases/
- https://lists.debian.org/debian-lts-announce/2023/02/msg00000.html
- https://github.com/advisories/GHSA-q2jf-h9jm-m7p4
- https://groups.google.com/forum/#!forum/django-announce
- https://security.netapp.com/advisory/ntap-20230302-0007/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
- https://github.com/django/django/commit/4452642f193533e288a52c02efb5bbc766a68f95
- https://github.com/django/django/commit/9d7bd5a56b1ce0576e8e07a8001373576d277942
- https://github.com/django/django/commit/c7e0151fdf33e1b11d488b6f67b94fdf3a30614a
- https://docs.djangoproject.com/en/4.1/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI
- https://security.netapp.com/advisory/ntap-20230302-0007
- https://www.djangoproject.com/weblog/2023/feb/01/security-releases
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-12.yaml
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
Affected versions:
["4.0b1", "4.0rc1", "4.1a1", "4.1b1", "4.1rc1", "4.1", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.0a1", "4.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.0.7", "4.0.8", "3.1rc1", "3.2", "3.2rc1", "3.0b1", "3.0rc1", "3.1b1", "3.2a1", "3.2b1", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
Django denial-of-service vulnerability in internationalized URLs
Published date: 2022-10-16T12:00:23Z
CVE: CVE-2022-41323
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2022-41323
- https://github.com/django/django/commit/5b6b257fa7ec37ff27965358800c67e2dd11c924
- https://www.djangoproject.com/weblog/2022/oct/04/security-releases/
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-304.yaml
- https://github.com/advisories/GHSA-qrw5-5h28-6cmg
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://security.netapp.com/advisory/ntap-20221124-0001/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
- https://github.com/django/django/commit/23f0093125ac2e553da6c1b2f9988eb6a3dd2ea1
- https://github.com/django/django/commit/9d656ea51d9ea7105c0c0785783ac29d426a7d25
- https://docs.djangoproject.com/en/4.0/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP
- https://security.netapp.com/advisory/ntap-20221124-0001
- https://www.djangoproject.com/weblog/2022/oct/04/security-releases
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
Affected versions:
["4.1", "4.1.1", "4.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.0.7", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
400 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 1.5.1 | BSD | 16 | 2013-03-28 - 20:57 | over 12 years |
| 1.5 | BSD | 16 | 2013-02-26 - 19:30 | over 12 years |
| 1.4.22 | BSD | 10 | 2015-08-18 - 17:22 | almost 10 years |
| 1.4.21 | BSD | 11 | 2015-07-08 - 19:56 | almost 10 years |
| 1.4.20 | BSD | 13 | 2015-03-19 - 00:03 | over 10 years |
| 1.4.19 | BSD | 13 | 2015-01-27 - 17:11 | over 10 years |
| 1.4.18 | BSD | 13 | 2015-01-13 - 18:54 | over 10 years |
| 1.4.17 | BSD | 16 | 2015-01-03 - 02:20 | over 10 years |
| 1.4.16 | BSD | 16 | 2014-10-22 - 16:37 | over 10 years |
| 1.4.15 | BSD | 16 | 2014-09-02 - 20:44 | almost 11 years |
| 1.4.14 | BSD | 16 | 2014-08-20 - 20:01 | almost 11 years |
| 1.4.13 | BSD | 19 | 2014-05-14 - 18:27 | about 11 years |
| 1.4.12 | BSD | 21 | 2014-04-28 - 20:30 | about 11 years |
| 1.4.11 | BSD | 21 | 2014-04-21 - 22:40 | about 11 years |
| 1.4.10 | BSD | 23 | 2013-11-06 - 14:21 | over 11 years |
| 1.4.9 | BSD | 23 | 2013-10-25 - 04:38 | over 11 years |
| 1.4.8 | BSD | 23 | 2013-09-15 - 06:22 | almost 12 years |
| 1.4.7 | BSD | 24 | 2013-09-11 - 01:18 | almost 12 years |
| 1.4.6 | BSD | 25 | 2013-08-13 - 16:52 | almost 12 years |
| 1.4.5 | BSD | 26 | 2013-02-20 - 19:54 | over 12 years |
| 1.4.4 | BSD | 26 | 2013-02-19 - 20:27 | over 12 years |
| 1.4.3 | BSD | 28 | 2012-12-10 - 21:46 | over 12 years |
| 1.4.2 | BSD | 28 | 2012-10-17 - 22:18 | over 12 years |
| 1.4.1 | BSD | 29 | 2012-07-30 - 22:48 | almost 13 years |
| 1.4 | BSD | 30 | 2012-03-23 - 18:00 | over 13 years |
| 1.3.7 | BSD | 20 | 2013-02-20 - 20:03 | over 12 years |
| 1.3.6 | BSD | 20 | 2013-02-19 - 20:32 | over 12 years |
| 1.3.5 | BSD | 22 | 2012-12-10 - 21:39 | over 12 years |
| 1.3.4 | BSD | 22 | 2013-03-05 - 22:33 | over 12 years |
| 1.3.3 | BSD | 23 | 2012-08-01 - 22:08 | almost 13 years |
| 1.3.2 | BSD | 23 | 2012-07-30 - 23:02 | almost 13 years |
| 1.3.1 | BSD | 25 | 2011-09-10 - 03:36 | almost 14 years |
| 1.3 | BSD | 28 | 2011-03-23 - 06:09 | over 14 years |
| 1.2.7 | BSD | 22 | 2011-09-11 - 03:05 | almost 14 years |
| 1.2.6 | BSD | 26 | 2011-09-10 - 03:42 | almost 14 years |
| 1.2.5 | BSD | 26 | 2011-02-09 - 04:08 | over 14 years |
| 1.2.4 | BSD | 29 | 2010-12-23 - 05:15 | over 14 years |
| 1.2.3 | BSD | 29 | 2010-09-11 - 08:50 | almost 15 years |
| 1.2.2 | BSD | 29 | 2010-09-09 - 02:41 | almost 15 years |
| 1.2.1 | BSD | 30 | 2010-05-24 - 21:19 | about 15 years |
| 1.2 | BSD | 30 | 2010-05-17 - 20:04 | about 15 years |
| 1.1.4 | BSD | 24 | 2011-02-09 - 04:13 | over 14 years |
| 1.1.3 | BSD | 27 | 2010-12-23 - 05:14 | over 14 years |
| 1.1.2 | BSD | 29 | 1970-01-01 - 00:00 | over 55 years |
| 1.1.1 | BSD | 29 | 1970-01-01 - 00:00 | over 55 years |
| 1.1 | BSD | 29 | 1970-01-01 - 00:00 | over 55 years |
| 1.0.4 | BSD | 26 | 1970-01-01 - 00:00 | over 55 years |
| 1.0.3 | BSD | 26 | 1970-01-01 - 00:00 | over 55 years |
| 1.0.2 | BSD | 26 | 1970-01-01 - 00:00 | over 55 years |
| 1.0.1 | BSD | 26 | 1970-01-01 - 00:00 | over 55 years |