rpm package
opensuse/python-Django&distro=openSUSE Leap 15.3
pkg:rpm/opensuse/python-Django&distro=openSUSE%20Leap%2015.3
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-41323 | — | < 2.2.28-bp153.2.3.1 | 2.2.28-bp153.2.3.1 | Oct 16, 2022 | In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. | ||
| CVE-2022-36359 | — | < 2.2.28-bp153.2.3.1 | 2.2.28-bp153.2.3.1 | Aug 3, 2022 | An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-suppli | ||
| CVE-2022-28347 | — | < 2.2.28-bp153.2.3.1 | 2.2.28-bp153.2.3.1 | Apr 12, 2022 | A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name. | ||
| CVE-2022-28346 | — | < 2.2.28-bp153.2.3.1 | 2.2.28-bp153.2.3.1 | Apr 12, 2022 | An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs. | ||
| CVE-2022-23833 | — | < 2.2.28-bp153.2.3.1 | 2.2.28-bp153.2.3.1 | Feb 3, 2022 | An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files. | ||
| CVE-2022-22818 | — | < 2.2.28-bp153.2.3.1 | 2.2.28-bp153.2.3.1 | Feb 3, 2022 | The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS. | ||
| CVE-2021-45115 | — | < 2.2.28-bp153.2.3.1 | 2.2.28-bp153.2.3.1 | Jan 4, 2022 | An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where a | ||
| CVE-2021-45116 | — | < 2.2.28-bp153.2.3.1 | 2.2.28-bp153.2.3.1 | Jan 4, 2022 | An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method cal | ||
| CVE-2021-45452 | — | < 2.2.28-bp153.2.3.1 | 2.2.28-bp153.2.3.1 | Jan 4, 2022 | Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it. | ||
| CVE-2021-44420 | — | < 2.2.28-bp153.2.3.1 | 2.2.28-bp153.2.3.1 | Dec 7, 2021 | In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. | ||
| CVE-2021-33203 | — | < 2.2.28-bp153.2.3.1 | 2.2.28-bp153.2.3.1 | Jun 8, 2021 | Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs te | ||
| CVE-2021-33571 | — | < 2.2.28-bp153.2.3.1 | 2.2.28-bp153.2.3.1 | Jun 8, 2021 | In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4 | ||
| CVE-2021-32052 | — | < 2.2.28-bp153.2.3.1 | 2.2.28-bp153.2.3.1 | May 6, 2021 | In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Djang |
- CVE-2022-41323Oct 16, 2022affected < 2.2.28-bp153.2.3.1fixed 2.2.28-bp153.2.3.1
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
- CVE-2022-36359Aug 3, 2022affected < 2.2.28-bp153.2.3.1fixed 2.2.28-bp153.2.3.1
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-suppli
- CVE-2022-28347Apr 12, 2022affected < 2.2.28-bp153.2.3.1fixed 2.2.28-bp153.2.3.1
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
- CVE-2022-28346Apr 12, 2022affected < 2.2.28-bp153.2.3.1fixed 2.2.28-bp153.2.3.1
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
- CVE-2022-23833Feb 3, 2022affected < 2.2.28-bp153.2.3.1fixed 2.2.28-bp153.2.3.1
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
- CVE-2022-22818Feb 3, 2022affected < 2.2.28-bp153.2.3.1fixed 2.2.28-bp153.2.3.1
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
- CVE-2021-45115Jan 4, 2022affected < 2.2.28-bp153.2.3.1fixed 2.2.28-bp153.2.3.1
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where a
- CVE-2021-45116Jan 4, 2022affected < 2.2.28-bp153.2.3.1fixed 2.2.28-bp153.2.3.1
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method cal
- CVE-2021-45452Jan 4, 2022affected < 2.2.28-bp153.2.3.1fixed 2.2.28-bp153.2.3.1
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.
- CVE-2021-44420Dec 7, 2021affected < 2.2.28-bp153.2.3.1fixed 2.2.28-bp153.2.3.1
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
- CVE-2021-33203Jun 8, 2021affected < 2.2.28-bp153.2.3.1fixed 2.2.28-bp153.2.3.1
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs te
- CVE-2021-33571Jun 8, 2021affected < 2.2.28-bp153.2.3.1fixed 2.2.28-bp153.2.3.1
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4
- CVE-2021-32052May 6, 2021affected < 2.2.28-bp153.2.3.1fixed 2.2.28-bp153.2.3.1
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Djang