Python/django/4.2.9
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
https://pypi.org/project/django
BSD-3-Clause
AND
BSD
4 Security Vulnerabilities
Django denial-of-service in django.utils.html.strip_tags()
Published date: 2024-12-06T12:30:47Z
CVE: CVE-2024-53907
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2024-53907
- https://docs.djangoproject.com/en/dev/releases/security
- https://groups.google.com/g/django-announce
- https://www.openwall.com/lists/oss-security/2024/12/04/3
- https://www.djangoproject.com/weblog/2024/dec/04/security-releases
- https://lists.debian.org/debian-lts-announce/2024/12/msg00028.html
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-156.yaml
- https://github.com/advisories/GHSA-8498-2h75-472j
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
Affected versions:
["4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.2.7", "4.2.8", "4.2.9", "4.2.10", "4.2.11", "4.2.12", "4.2.13", "4.2.14", "4.2.15", "4.2.16", "5.0", "5.0.1", "5.0.2", "5.0.3", "5.0.4", "5.0.5", "5.0.6", "5.0.7", "5.0.8", "5.0.9", "5.1", "5.1.1", "5.1.2", "5.1.3"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
Django SQL injection in HasKey(lhs, rhs) on Oracle
Published date: 2024-12-06T12:30:47Z
CVE: CVE-2024-53908
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2024-53908
- https://docs.djangoproject.com/en/dev/releases/security
- https://groups.google.com/g/django-announce
- https://www.openwall.com/lists/oss-security/2024/12/04/3
- https://www.djangoproject.com/weblog/2024/dec/04/security-releases
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-157.yaml
- https://github.com/advisories/GHSA-m9g8-fxxm-xg86
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.haskey lookup via _ are unaffected.)
Affected versions:
["4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.2.7", "4.2.8", "4.2.9", "4.2.10", "4.2.11", "4.2.12", "4.2.13", "4.2.14", "4.2.15", "4.2.16", "5.0", "5.0.1", "5.0.2", "5.0.3", "5.0.4", "5.0.5", "5.0.6", "5.0.7", "5.0.8", "5.0.9", "5.1", "5.1.1", "5.1.2", "5.1.3"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
Regular expression denial-of-service in Django
Published date: 2024-03-15T21:30:43Z
CVE: CVE-2024-27351
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2024-27351
- https://docs.djangoproject.com/en/5.0/releases/security
- https://groups.google.com/forum/#%21forum/django-announce
- https://www.djangoproject.com/weblog/2024/mar/04/security-releases
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-47.yaml
- https://github.com/advisories/GHSA-vm8q-m57g-pff3
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D
- http://www.openwall.com/lists/oss-security/2024/03/04/1
- https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521
- https://github.com/django/django/commit/3394fc6132436eca89e997083bae9985fb7e761e
- https://github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4a
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
Affected versions:
["5.0", "5.0.1", "5.0.2", "4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.2.7", "4.2.8", "4.2.9", "4.2.10", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20", "3.2.21", "3.2.22", "3.2.23", "3.2.24"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
Django denial-of-service attack in the intcomma template filter
Published date: 2024-02-07T00:30:25Z
CVE: CVE-2024-24680
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2024-24680
- https://docs.djangoproject.com/en/5.0/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://www.djangoproject.com/weblog/2024/feb/06/security-releases/
- https://github.com/django/django/commit/16a8fe18a3b81250f4fa57e3f93f0599dc4895bc
- https://github.com/django/django/commit/55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9
- https://github.com/django/django/commit/572ea07e84b38ea8de0551f4b4eda685d91d09d2
- https://github.com/django/django/commit/c1171ffbd570db90ca206c30f8e2b9f691243820
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-28.yaml
- https://github.com/advisories/GHSA-xxj9-f6rv-m3x4
- https://docs.djangoproject.com/en/5.0/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX
- https://www.djangoproject.com/weblog/2024/feb/06/security-releases
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
Affected versions:
["5.0", "5.0.1", "4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.2.7", "4.2.8", "4.2.9"]
Secure versions:
[2.2.27, 2.2.28, 3.0a1, 3.1.12, 3.1.13, 3.1.14, 3.2.25, 4.1.13, 4.2.17, 4.2.18, 4.2.19, 4.2.20, 4.2.21, 4.2.22, 4.2.23, 4.2a1, 4.2b1, 4.2rc1, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0a1, 5.0b1, 5.0rc1, 5.1.10, 5.1.11, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1a1, 5.1b1, 5.1rc1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2a1, 5.2b1, 5.2rc1]
Recommendation:
Update to version 5.2.3.
400 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 1.5.1 | BSD | 16 | 2013-03-28 - 20:57 | over 12 years |
| 1.5 | BSD | 16 | 2013-02-26 - 19:30 | over 12 years |
| 1.4.22 | BSD | 10 | 2015-08-18 - 17:22 | almost 10 years |
| 1.4.21 | BSD | 11 | 2015-07-08 - 19:56 | almost 10 years |
| 1.4.20 | BSD | 13 | 2015-03-19 - 00:03 | over 10 years |
| 1.4.19 | BSD | 13 | 2015-01-27 - 17:11 | over 10 years |
| 1.4.18 | BSD | 13 | 2015-01-13 - 18:54 | over 10 years |
| 1.4.17 | BSD | 16 | 2015-01-03 - 02:20 | over 10 years |
| 1.4.16 | BSD | 16 | 2014-10-22 - 16:37 | over 10 years |
| 1.4.15 | BSD | 16 | 2014-09-02 - 20:44 | almost 11 years |
| 1.4.14 | BSD | 16 | 2014-08-20 - 20:01 | almost 11 years |
| 1.4.13 | BSD | 19 | 2014-05-14 - 18:27 | about 11 years |
| 1.4.12 | BSD | 21 | 2014-04-28 - 20:30 | about 11 years |
| 1.4.11 | BSD | 21 | 2014-04-21 - 22:40 | about 11 years |
| 1.4.10 | BSD | 23 | 2013-11-06 - 14:21 | over 11 years |
| 1.4.9 | BSD | 23 | 2013-10-25 - 04:38 | over 11 years |
| 1.4.8 | BSD | 23 | 2013-09-15 - 06:22 | almost 12 years |
| 1.4.7 | BSD | 24 | 2013-09-11 - 01:18 | almost 12 years |
| 1.4.6 | BSD | 25 | 2013-08-13 - 16:52 | almost 12 years |
| 1.4.5 | BSD | 26 | 2013-02-20 - 19:54 | over 12 years |
| 1.4.4 | BSD | 26 | 2013-02-19 - 20:27 | over 12 years |
| 1.4.3 | BSD | 28 | 2012-12-10 - 21:46 | over 12 years |
| 1.4.2 | BSD | 28 | 2012-10-17 - 22:18 | over 12 years |
| 1.4.1 | BSD | 29 | 2012-07-30 - 22:48 | almost 13 years |
| 1.4 | BSD | 30 | 2012-03-23 - 18:00 | over 13 years |
| 1.3.7 | BSD | 20 | 2013-02-20 - 20:03 | over 12 years |
| 1.3.6 | BSD | 20 | 2013-02-19 - 20:32 | over 12 years |
| 1.3.5 | BSD | 22 | 2012-12-10 - 21:39 | over 12 years |
| 1.3.4 | BSD | 22 | 2013-03-05 - 22:33 | over 12 years |
| 1.3.3 | BSD | 23 | 2012-08-01 - 22:08 | almost 13 years |
| 1.3.2 | BSD | 23 | 2012-07-30 - 23:02 | almost 13 years |
| 1.3.1 | BSD | 25 | 2011-09-10 - 03:36 | almost 14 years |
| 1.3 | BSD | 28 | 2011-03-23 - 06:09 | over 14 years |
| 1.2.7 | BSD | 22 | 2011-09-11 - 03:05 | almost 14 years |
| 1.2.6 | BSD | 26 | 2011-09-10 - 03:42 | almost 14 years |
| 1.2.5 | BSD | 26 | 2011-02-09 - 04:08 | over 14 years |
| 1.2.4 | BSD | 29 | 2010-12-23 - 05:15 | over 14 years |
| 1.2.3 | BSD | 29 | 2010-09-11 - 08:50 | almost 15 years |
| 1.2.2 | BSD | 29 | 2010-09-09 - 02:41 | almost 15 years |
| 1.2.1 | BSD | 30 | 2010-05-24 - 21:19 | about 15 years |
| 1.2 | BSD | 30 | 2010-05-17 - 20:04 | about 15 years |
| 1.1.4 | BSD | 24 | 2011-02-09 - 04:13 | over 14 years |
| 1.1.3 | BSD | 27 | 2010-12-23 - 05:14 | over 14 years |
| 1.1.2 | BSD | 29 | 1970-01-01 - 00:00 | over 55 years |
| 1.1.1 | BSD | 29 | 1970-01-01 - 00:00 | over 55 years |
| 1.1 | BSD | 29 | 1970-01-01 - 00:00 | over 55 years |
| 1.0.4 | BSD | 26 | 1970-01-01 - 00:00 | over 55 years |
| 1.0.3 | BSD | 26 | 1970-01-01 - 00:00 | over 55 years |
| 1.0.2 | BSD | 26 | 1970-01-01 - 00:00 | over 55 years |
| 1.0.1 | BSD | 26 | 1970-01-01 - 00:00 | over 55 years |