Python/django/4.1.5
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
https://pypi.org/project/django
BSD-3-Clause
AND
BSD
5 Security Vulnerabilities
Django Denial of service vulnerability in django.utils.encoding.uri_to_iri
Published date: 2023-11-03T06:36:29Z
CVE: CVE-2023-41164
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2023-41164
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2023/sep/04/security-releases/
- https://github.com/django/django/commit/6f030b1149bd8fa4ba90452e77cb3edc095ce54e
- https://github.com/django/django/commit/9c51b4dcfa0cefcb48231f4d71cafa80821f87b9
- https://github.com/django/django/commit/ba00bc5ec6a7eff5e08be438f7b5b0e9574e8ff0
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-225.yaml
- https://github.com/advisories/GHSA-7h4p-27mh-hmrw
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://security.netapp.com/advisory/ntap-20231214-0002/
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uritoiri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Affected versions:
["4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.1", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.1.8", "4.1.9", "4.1.10", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20"]
Secure versions:
[4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6]
Recommendation:
Update to version 5.0.6.
Django Denial-of-service in django.utils.text.Truncator
Published date: 2023-11-03T06:36:30Z
CVE: CVE-2023-43665
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2023-43665
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2023/oct/04/security-releases/
- https://github.com/django/django/commit/be9c27c4d18c2e6a5be8af4e53c0797440794473
- https://github.com/django/django/commit/c7b7024742250414e426ad49fb80db943e7ba4e8
- https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-226.yaml
- https://github.com/advisories/GHSA-h8gc-pgj2-vjm3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://docs.djangoproject.com/en/4.2/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU
- https://security.netapp.com/advisory/ntap-20231221-0001
- https://www.djangoproject.com/weblog/2023/oct/04/security-releases
- http://www.openwall.com/lists/oss-security/2024/03/04/1
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatecharshtml and truncatewordshtml template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
Affected versions:
["4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.1", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.1.8", "4.1.9", "4.1.10", "4.1.11", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20", "3.2.21"]
Secure versions:
[4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6]
Recommendation:
Update to version 5.0.6.
Django has regular expression denial of service vulnerability in EmailValidator/URLValidator
Published date: 2023-07-03T15:30:45Z
CVE: CVE-2023-36053
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2023-36053
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2023/jul/03/security-releases/
- https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582
- https://github.com/django/django/commit/ad0410ec4f458aa39803e5f6b9a3736527062dcd
- https://github.com/django/django/commit/b7c5feb35a31799de6e582ad6a5a91a9de74e0f9
- https://github.com/django/django/commit/beb3f3d55940d9aa7198bf9d424ab74e873aec3d
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-100.yaml
- https://github.com/advisories/GHSA-jh3w-4vvf-mjgr
- https://lists.debian.org/debian-lts-announce/2023/07/msg00022.html
- https://www.debian.org/security/2023/dsa-5465
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS/
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
Affected versions:
["3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "4.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.1a1", "4.0.5", "4.1b1", "4.0.6", "4.1rc1", "4.0.7", "4.1", "4.1.1", "4.0.8", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.0.9", "4.1.6", "4.0.10", "4.1.7", "4.1.8", "4.1.9", "4.2", "4.2.1", "4.2.2"]
Secure versions:
[4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6]
Recommendation:
Update to version 5.0.6.
Django contains Uncontrolled Resource Consumption via cached header
Published date: 2023-02-01T21:30:23Z
CVE: CVE-2023-23969
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2023-23969
- https://docs.djangoproject.com/en/4.1/releases/security/
- https://www.djangoproject.com/weblog/2023/feb/01/security-releases/
- https://lists.debian.org/debian-lts-announce/2023/02/msg00000.html
- https://github.com/advisories/GHSA-q2jf-h9jm-m7p4
- https://groups.google.com/forum/#!forum/django-announce
- https://security.netapp.com/advisory/ntap-20230302-0007/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
Affected versions:
["4.0b1", "4.0rc1", "4.1a1", "4.1b1", "4.1rc1", "4.1", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.0a1", "4.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.0.7", "4.0.8", "3.0b1", "3.0rc1", "3.1b1", "3.1rc1", "3.2", "3.2a1", "3.2b1", "3.2rc1", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16"]
Secure versions:
[4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6]
Recommendation:
Update to version 5.0.6.
Django potential denial of service vulnerability in UsernameField on Windows
Published date: 2023-11-02T06:30:25Z
CVE: CVE-2023-46695
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2023-46695
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2023/nov/01/security-releases/
- https://github.com/django/django/commit/048a9ebb6ea468426cb4e57c71572cbbd975517f
- https://github.com/django/django/commit/4965bfdde2e5a5c883685019e57d123a3368a75e
- https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-222.yaml
- https://github.com/advisories/GHSA-qmf9-6jqf-j8fq
- https://groups.google.com/forum/#%21forum/django-announce
- https://security.netapp.com/advisory/ntap-20231214-0001/
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Affected versions:
["4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.1", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.1.8", "4.1.9", "4.1.10", "4.1.11", "4.1.12", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20", "3.2.21", "3.2.22"]
Secure versions:
[4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6]
Recommendation:
Update to version 5.0.6.
360 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 3.0.1 | BSD | 10 | 2019-12-18 - 08:59 | over 4 years |
| 3.0 | BSD | 11 | 2019-12-02 - 11:13 | over 4 years |
| 2.2.28 | BSD | 1 | 2022-04-11 - 07:52 | about 2 years |
| 2.2.27 | BSD | 1 | 2022-02-01 - 07:56 | over 2 years |
| 2.2.26 | BSD | 3 | 2022-01-04 - 09:53 | over 2 years |
| 2.2.25 | BSD | 3 | 2021-12-07 - 07:34 | over 2 years |
| 2.2.24 | BSD | 3 | 2021-06-02 - 08:53 | almost 3 years |
| 2.2.23 | BSD | 5 | 2021-05-13 - 07:36 | almost 3 years |
| 2.2.22 | BSD | 5 | 2021-05-06 - 07:40 | about 3 years |
| 2.2.21 | BSD | 5 | 2021-05-04 - 08:47 | about 3 years |
| 2.2.20 | BSD | 5 | 2021-04-06 - 07:34 | about 3 years |
| 2.2.19 | BSD | 5 | 2021-02-19 - 09:07 | about 3 years |
| 2.2.18 | BSD | 5 | 2021-02-01 - 09:28 | over 3 years |
| 2.2.17 | BSD | 6 | 2020-11-02 - 08:12 | over 3 years |
| 2.2.16 | BSD | 6 | 2020-09-01 - 09:14 | over 3 years |
| 2.2.15 | BSD | 8 | 2020-08-03 - 07:23 | almost 4 years |
| 2.2.14 | BSD | 8 | 2020-07-01 - 04:49 | almost 4 years |
| 2.2.13 | BSD | 8 | 2020-06-03 - 09:36 | almost 4 years |
| 2.2.12 | BSD | 10 | 2020-04-01 - 07:59 | about 4 years |
| 2.2.11 | BSD | 10 | 2020-03-04 - 09:31 | about 4 years |
| 2.2.10 | BSD | 11 | 2020-02-03 - 09:50 | over 4 years |
| 2.2.9 | BSD | 12 | 2019-12-18 - 08:59 | over 4 years |
| 2.2.8 | BSD | 13 | 2019-12-02 - 08:57 | over 4 years |
| 2.2.7 | BSD | 14 | 2019-11-04 - 08:33 | over 4 years |
| 2.2.6 | BSD | 14 | 2019-10-01 - 08:36 | over 4 years |
| 2.2.5 | BSD | 14 | 2019-09-02 - 07:18 | over 4 years |
| 2.2.4 | BSD | 14 | 2019-08-01 - 09:04 | almost 5 years |
| 2.2.3 | BSD | 18 | 2019-07-01 - 07:19 | almost 5 years |
| 2.2.2 | BSD | 19 | 2019-06-03 - 10:11 | almost 5 years |
| 2.2.1 | BSD | 21 | 2019-05-01 - 06:57 | about 5 years |
| 2.2 | BSD | 21 | 2019-04-01 - 12:47 | about 5 years |
| 2.1.15 | BSD | 5 | 2019-12-02 - 08:57 | over 4 years |
| 2.1.14 | BSD | 6 | 2019-11-04 - 08:33 | over 4 years |
| 2.1.13 | BSD | 6 | 2019-10-01 - 08:36 | over 4 years |
| 2.1.12 | BSD | 6 | 2019-09-02 - 07:18 | over 4 years |
| 2.1.11 | BSD | 6 | 2019-08-01 - 09:04 | almost 5 years |
| 2.1.10 | BSD | 10 | 2019-07-01 - 07:19 | almost 5 years |
| 2.1.9 | BSD | 11 | 2019-06-03 - 10:11 | almost 5 years |
| 2.1.8 | BSD | 13 | 2019-04-01 - 09:18 | about 5 years |
| 2.1.7 | BSD | 13 | 2019-02-11 - 15:10 | about 5 years |
| 2.1.5 | BSD | 14 | 2019-01-04 - 13:52 | over 5 years |
| 2.1.4 | BSD | 15 | 2018-12-03 - 17:02 | over 5 years |
| 2.1.3 | BSD | 15 | 2018-11-01 - 14:36 | over 5 years |
| 2.1.2 | BSD | 15 | 2018-10-01 - 09:22 | over 5 years |
| 2.1.1 | BSD | 16 | 2018-08-31 - 08:42 | over 5 years |
| 2.1 | BSD | 16 | 2018-08-01 - 14:11 | almost 6 years |
| 2.0.13 | BSD | 6 | 2019-02-12 - 10:50 | about 5 years |
| 2.0.12 | BSD | 6 | 2019-02-11 - 15:10 | about 5 years |
| 2.0.10 | BSD | 7 | 2019-01-04 - 14:03 | over 5 years |
| 2.0.9 | BSD | 8 | 2018-10-01 - 09:22 | over 5 years |
| 2.0.8 | BSD | 8 | 2018-08-01 - 13:51 | almost 6 years |
| 2.0.7 | BSD | 9 | 2018-07-02 - 09:02 | almost 6 years |
| 2.0.6 | BSD | 9 | 2018-06-01 - 15:32 | almost 6 years |
| 2.0.5 | BSD | 9 | 2018-05-02 - 01:34 | about 6 years |
| 2.0.4 | BSD | 9 | 2018-04-03 - 02:39 | about 6 years |
| 2.0.3 | BSD | 9 | 2018-03-06 - 14:05 | about 6 years |
| 2.0.2 | BSD | 11 | 2018-02-01 - 14:30 | over 6 years |
| 2.0.1 | BSD | 12 | 2018-01-02 - 00:50 | over 6 years |
| 2.0 | BSD | 12 | 2017-12-02 - 15:11 | over 6 years |
| 1.11.29 | BSD | 2 | 2020-03-04 - 09:31 | about 4 years |
| 1.11.28 | BSD | 3 | 2020-02-03 - 09:50 | over 4 years |
| 1.11.27 | BSD | 4 | 2019-12-18 - 08:59 | over 4 years |
| 1.11.26 | BSD | 5 | 2019-11-04 - 08:33 | over 4 years |
| 1.11.25 | BSD | 5 | 2019-10-01 - 08:36 | over 4 years |
| 1.11.24 | BSD | 5 | 2019-09-02 - 07:18 | over 4 years |
| 1.11.23 | BSD | 5 | 2019-08-01 - 09:04 | almost 5 years |
| 1.11.22 | BSD | 9 | 2019-07-01 - 07:19 | almost 5 years |
| 1.11.21 | BSD | 10 | 2019-06-03 - 10:10 | almost 5 years |
| 1.11.20 | BSD | 11 | 2019-02-11 - 15:10 | about 5 years |
| 1.11.18 | BSD | 12 | 2019-01-04 - 14:10 | over 5 years |
| 1.11.17 | BSD | 13 | 2018-12-03 - 17:02 | over 5 years |
| 1.11.16 | BSD | 13 | 2018-10-01 - 09:22 | over 5 years |
| 1.11.15 | BSD | 13 | 2018-08-01 - 13:45 | almost 6 years |
| 1.11.14 | BSD | 14 | 2018-07-02 - 09:01 | almost 6 years |
| 1.11.13 | BSD | 14 | 2018-05-02 - 01:54 | about 6 years |
| 1.11.12 | BSD | 14 | 2018-04-03 - 02:45 | about 6 years |
| 1.11.11 | BSD | 14 | 2018-03-06 - 14:15 | about 6 years |
| 1.11.10 | BSD | 16 | 2018-02-01 - 14:40 | over 6 years |
| 1.11.9 | BSD | 17 | 2018-01-02 - 01:01 | over 6 years |
| 1.11.8 | BSD | 17 | 2017-12-02 - 14:20 | over 6 years |
| 1.11.7 | BSD | 16 | 2017-11-02 - 01:26 | over 6 years |
| 1.11.6 | BSD | 16 | 2017-10-05 - 18:21 | over 6 years |
| 1.11.5 | BSD | 16 | 2017-09-05 - 15:18 | over 6 years |
| 1.11.4 | BSD | 17 | 2017-08-01 - 12:24 | almost 7 years |
| 1.11.3 | BSD | 17 | 2017-07-01 - 23:24 | almost 7 years |
| 1.11.2 | BSD | 17 | 2017-06-01 - 16:47 | almost 7 years |
| 1.11.1 | BSD | 17 | 2017-05-06 - 13:26 | about 7 years |
| 1.11 | BSD | 17 | 2017-04-04 - 15:59 | about 7 years |
| 1.10.8 | BSD | 6 | 2017-09-05 - 15:31 | over 6 years |
| 1.10.7 | BSD | 7 | 2017-04-04 - 14:27 | about 7 years |
| 1.10.6 | BSD | 9 | 2017-03-01 - 13:37 | about 7 years |
| 1.10.5 | BSD | 9 | 2017-01-04 - 19:22 | over 7 years |
| 1.10.4 | BSD | 9 | 2016-12-01 - 23:46 | over 7 years |
| 1.10.3 | BSD | 9 | 2016-11-01 - 13:56 | over 7 years |
| 1.10.2 | BSD | 11 | 2016-10-01 - 20:05 | over 7 years |
| 1.10.1 | BSD | 11 | 2016-09-01 - 23:17 | over 7 years |
| 1.10 | BSD | 11 | 2016-08-01 - 18:32 | almost 8 years |
| 1.9.13 | BSD | 6 | 2017-04-04 - 14:14 | about 7 years |
| 1.9.12 | BSD | 8 | 2016-12-01 - 23:16 | over 7 years |
| 1.9.11 | BSD | 8 | 2016-11-01 - 14:02 | over 7 years |