rpm package
suse/python-Django&distro=SUSE Package Hub 15 SP4
pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2015%20SP4
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-43665 | Hig | 7.5 | < 2.2.28-bp154.2.15.1 | 2.2.28-bp154.2.15.1 | Nov 3, 2023 | In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML tex | |
| CVE-2023-36053 | Hig | 7.5 | < 2.2.28-bp154.2.12.1 | 2.2.28-bp154.2.12.1 | Jul 3, 2023 | In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs. | |
| CVE-2023-24580 | Hig | 7.5 | < 2.2.28-bp154.2.9.1 | 2.2.28-bp154.2.9.1 | Feb 15, 2023 | An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a po | |
| CVE-2023-23969 | Hig | 7.5 | < 2.2.28-bp154.2.6.1 | 2.2.28-bp154.2.6.1 | Feb 1, 2023 | In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language hea | |
| CVE-2022-41323 | Hig | 7.5 | < 2.2.28-bp154.2.6.1 | 2.2.28-bp154.2.6.1 | Oct 16, 2022 | In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. | |
| CVE-2022-36359 | Hig | 8.8 | < 2.2.28-bp154.2.3.3 | 2.2.28-bp154.2.3.3 | Aug 3, 2022 | An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-suppli |
- affected < 2.2.28-bp154.2.15.1fixed 2.2.28-bp154.2.15.1
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML tex
- affected < 2.2.28-bp154.2.12.1fixed 2.2.28-bp154.2.12.1
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
- affected < 2.2.28-bp154.2.9.1fixed 2.2.28-bp154.2.9.1
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a po
- affected < 2.2.28-bp154.2.6.1fixed 2.2.28-bp154.2.6.1
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language hea
- affected < 2.2.28-bp154.2.6.1fixed 2.2.28-bp154.2.6.1
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
- affected < 2.2.28-bp154.2.3.3fixed 2.2.28-bp154.2.3.3
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-suppli