Python/django/4.1.10
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
https://pypi.org/project/django
BSD-3-Clause
AND
BSD
3 Security Vulnerabilities
Django Denial of service vulnerability in django.utils.encoding.uri_to_iri
Published date: 2023-11-03T06:36:29Z
CVE: CVE-2023-41164
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2023-41164
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2023/sep/04/security-releases/
- https://github.com/django/django/commit/6f030b1149bd8fa4ba90452e77cb3edc095ce54e
- https://github.com/django/django/commit/9c51b4dcfa0cefcb48231f4d71cafa80821f87b9
- https://github.com/django/django/commit/ba00bc5ec6a7eff5e08be438f7b5b0e9574e8ff0
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-225.yaml
- https://github.com/advisories/GHSA-7h4p-27mh-hmrw
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://security.netapp.com/advisory/ntap-20231214-0002/
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uritoiri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Affected versions:
["4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.1", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.1.8", "4.1.9", "4.1.10", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20"]
Secure versions:
[4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6]
Recommendation:
Update to version 5.0.6.
Django Denial-of-service in django.utils.text.Truncator
Published date: 2023-11-03T06:36:30Z
CVE: CVE-2023-43665
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2023-43665
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2023/oct/04/security-releases/
- https://github.com/django/django/commit/be9c27c4d18c2e6a5be8af4e53c0797440794473
- https://github.com/django/django/commit/c7b7024742250414e426ad49fb80db943e7ba4e8
- https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-226.yaml
- https://github.com/advisories/GHSA-h8gc-pgj2-vjm3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://docs.djangoproject.com/en/4.2/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU
- https://security.netapp.com/advisory/ntap-20231221-0001
- https://www.djangoproject.com/weblog/2023/oct/04/security-releases
- http://www.openwall.com/lists/oss-security/2024/03/04/1
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatecharshtml and truncatewordshtml template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
Affected versions:
["4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.1", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.1.8", "4.1.9", "4.1.10", "4.1.11", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20", "3.2.21"]
Secure versions:
[4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6]
Recommendation:
Update to version 5.0.6.
Django potential denial of service vulnerability in UsernameField on Windows
Published date: 2023-11-02T06:30:25Z
CVE: CVE-2023-46695
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2023-46695
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2023/nov/01/security-releases/
- https://github.com/django/django/commit/048a9ebb6ea468426cb4e57c71572cbbd975517f
- https://github.com/django/django/commit/4965bfdde2e5a5c883685019e57d123a3368a75e
- https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-222.yaml
- https://github.com/advisories/GHSA-qmf9-6jqf-j8fq
- https://groups.google.com/forum/#%21forum/django-announce
- https://security.netapp.com/advisory/ntap-20231214-0001/
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Affected versions:
["4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.1", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.1.8", "4.1.9", "4.1.10", "4.1.11", "4.1.12", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20", "3.2.21", "3.2.22"]
Secure versions:
[4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6]
Recommendation:
Update to version 5.0.6.
360 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 1.2.6 | BSD | 27 | 2011-09-10 - 03:42 | over 12 years |
| 1.2.5 | BSD | 27 | 2011-02-09 - 04:08 | about 13 years |
| 1.2.4 | BSD | 30 | 2010-12-23 - 05:15 | over 13 years |
| 1.2.3 | BSD | 32 | 2010-09-11 - 08:50 | over 13 years |
| 1.2.2 | BSD | 32 | 2010-09-09 - 02:41 | over 13 years |
| 1.2.1 | BSD | 33 | 2010-05-24 - 21:19 | almost 14 years |
| 1.2 | BSD | 33 | 2010-05-17 - 20:04 | almost 14 years |
| 1.1.4 | BSD | 25 | 2011-02-09 - 04:13 | about 13 years |
| 1.1.3 | BSD | 28 | 2010-12-23 - 05:14 | over 13 years |
| 1.1.2 | BSD | 30 | ||
| 1.1.1 | BSD | 30 | ||
| 1.1 | BSD | 30 | ||
| 1.0.4 | BSD | 27 | ||
| 1.0.3 | BSD | 27 | ||
| 1.0.2 | BSD | 27 | ||
| 1.0.1 | BSD | 27 | ||
| 4.0b1 | BSD-3-Clause AND BSD | 1 | 2021-10-25 - 09:23 | over 2 years |
| 4.0a1 | BSD-3-Clause AND BSD | 1 | 2021-09-21 - 19:08 | over 2 years |
| 4.0rc1 | BSD-3-Clause AND BSD | 1 | 2021-11-22 - 06:37 | over 2 years |
| 3.2rc1 | BSD-3-Clause AND BSD | 2 | 2021-03-18 - 13:55 | about 3 years |
| 3.2a1 | BSD-3-Clause AND BSD | 2 | 2021-01-19 - 13:04 | over 3 years |
| 3.2b1 | BSD-3-Clause AND BSD | 2 | 2021-02-19 - 09:35 | about 3 years |
| 3.1a1 | BSD-3-Clause AND BSD | 3 | 2020-05-14 - 09:41 | almost 4 years |
| 3.1b1 | BSD-3-Clause AND BSD | 4 | 2020-06-15 - 08:15 | almost 4 years |
| 3.0b1 | BSD | 2 | 2019-10-14 - 10:21 | over 4 years |
| 3.0a1 | BSD | 1 | 2019-09-10 - 09:19 | over 4 years |
| 3.0rc1 | BSD | 2 | 2019-11-18 - 08:51 | over 4 years |
| 3.1rc1 | BSD-3-Clause AND BSD | 4 | 2020-07-20 - 06:38 | almost 4 years |
| 2.2rc1 | BSD | 6 | 2019-03-18 - 08:57 | about 5 years |
| 2.2b1 | BSD | 6 | 2019-02-11 - 10:33 | about 5 years |
| 2.2a1 | BSD | 6 | 2019-01-17 - 15:35 | over 5 years |
| 2.1b1 | BSD | 6 | 2018-06-18 - 23:55 | almost 6 years |
| 2.1a1 | BSD | 6 | 2018-05-18 - 01:01 | almost 6 years |
| 2.1rc1 | BSD | 6 | 2018-07-18 - 17:35 | almost 6 years |
| 2.0rc1 | BSD | 3 | 2017-11-15 - 23:51 | over 6 years |
| 2.0a1 | BSD | 3 | 2017-09-22 - 18:09 | over 6 years |
| 2.0b1 | BSD | 3 | 2017-10-17 - 02:00 | over 6 years |
| 1.9rc2 | BSD | 3 | 2015-11-24 - 17:35 | over 8 years |
| 1.9b1 | BSD | 4 | 2015-10-20 - 01:17 | over 8 years |
| 1.9a1 | BSD | 4 | 2015-09-24 - 00:20 | over 8 years |
| 1.9rc1 | BSD | 4 | 2015-11-16 - 21:10 | over 8 years |
| 1.8b2 | BSD | 7 | 2015-03-09 - 15:55 | about 9 years |
| 1.8b1 | BSD | 8 | 2015-02-25 - 13:42 | about 9 years |
| 1.8c1 | BSD | 6 | 2015-03-18 - 23:39 | about 9 years |
| 1.8a1 | BSD | 7 | 2015-01-16 - 22:25 | over 9 years |
| 1.11b1 | BSD | 26 | 2017-02-20 - 23:21 | about 7 years |
| 1.11a1 | BSD | 26 | 2017-01-18 - 01:01 | over 7 years |
| 1.11rc1 | BSD | 25 | 2017-03-21 - 22:55 | about 7 years |
| 1.10rc1 | BSD | 25 | 2016-07-18 - 18:04 | almost 8 years |
| 1.10a1 | BSD | 26 | 2016-05-20 - 12:16 | almost 8 years |
| 1.10b1 | BSD | 26 | 2016-06-22 - 01:15 | almost 8 years |
| 5.0rc1 | BSD-3-Clause AND BSD | |||
| 5.0b1 | BSD-3-Clause AND BSD | |||
| 5.0a1 | BSD-3-Clause AND BSD | |||
| 4.2rc1 | BSD-3-Clause AND BSD | |||
| 4.2b1 | BSD-3-Clause AND BSD | |||
| 4.2a1 | BSD-3-Clause AND BSD | |||
| 4.1rc1 | BSD-3-Clause AND BSD | 2 | ||
| 4.1a1 | BSD-3-Clause AND BSD | 2 | 2022-05-18 - 05:54 | almost 2 years |
| 4.1b1 | BSD-3-Clause AND BSD | 2 | 2022-06-21 - 09:20 | almost 2 years |