Search a vulnerability

cve-2023-46695

Vulnerability from cvelistv5

Published

2023-11-02 00:00

Modified

2024-08-02 20:53

Severity ?

Summary

An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.2/releases/security/
	https://www.djangoproject.com/weblog/2023/nov/01/security-releases/
	https://security.netapp.com/advisory/ntap-20231214-0001/

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T20:53:20.867Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.2/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2023/nov/01/security-releases/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20231214-0001/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-14T10:06:39.801548",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.2/releases/security/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2023/nov/01/security-releases/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20231214-0001/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-46695",
    "datePublished": "2023-11-02T00:00:00",
    "dateReserved": "2023-10-25T00:00:00",
    "dateUpdated": "2024-08-02T20:53:20.867Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-34265

Vulnerability from cvelistv5

Published

2022-07-04 00:00

Modified

2025-02-13 16:32

Severity ?

Summary

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.0/releases/security/
	https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
	https://security.netapp.com/advisory/ntap-20220818-0006/
	https://www.debian.org/security/2022/dsa-5254	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/	vendor-advisory

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T09:07:16.138Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/jul/04/security-releases/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220818-0006/"
          },
          {
            "name": "DSA-5254",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5254"
          },
          {
            "name": "FEDORA-2023-8fed428c5e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
          },
          {
            "name": "FEDORA-2023-a53ab7c969",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-28T03:06:14.431Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2022/jul/04/security-releases/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220818-0006/"
        },
        {
          "name": "DSA-5254",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5254"
        },
        {
          "name": "FEDORA-2023-8fed428c5e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
        },
        {
          "name": "FEDORA-2023-a53ab7c969",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-34265",
    "datePublished": "2022-07-04T00:00:00.000Z",
    "dateReserved": "2022-06-21T00:00:00.000Z",
    "dateUpdated": "2025-02-13T16:32:45.198Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-45116

Vulnerability from cvelistv5

Published

2022-01-04 23:12

Modified

2024-08-04 04:39

Severity ?

Summary

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce	x_refsource_MISC
	https://docs.djangoproject.com/en/4.0/releases/security/	x_refsource_MISC
	https://www.djangoproject.com/weblog/2022/jan/04/security-releases/	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-20220121-0005/	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/	vendor-advisory, x_refsource_FEDORA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:39:20.434Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"
          },
          {
            "name": "FEDORA-2022-e7fd530688",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language\u0027s variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-11T02:06:28",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"
        },
        {
          "name": "FEDORA-2022-e7fd530688",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-45116",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language\u0027s variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/forum/#!forum/django-announce",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!forum/django-announce"
            },
            {
              "name": "https://docs.djangoproject.com/en/4.0/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220121-0005/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"
            },
            {
              "name": "FEDORA-2022-e7fd530688",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-45116",
    "datePublished": "2022-01-04T23:12:43",
    "dateReserved": "2021-12-16T00:00:00",
    "dateUpdated": "2024-08-04T04:39:20.434Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2020-9402

Vulnerability from cvelistv5

Published

2020-03-05 14:49

Modified

2024-08-04 10:26

Severity ?

Summary

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

References

▼	URL	Tags
	https://docs.djangoproject.com/en/3.0/releases/security/	x_refsource_MISC
	https://groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrY	x_refsource_MISC
	https://www.djangoproject.com/weblog/2020/mar/04/security-releases/	x_refsource_CONFIRM
	https://usn.ubuntu.com/4296-1/	vendor-advisory, x_refsource_UBUNTU
	https://security.netapp.com/advisory/ntap-20200327-0004/	x_refsource_CONFIRM
	https://security.gentoo.org/glsa/202004-17	vendor-advisory, x_refsource_GENTOO
	https://www.debian.org/security/2020/dsa-4705	vendor-advisory, x_refsource_DEBIAN
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY/	vendor-advisory, x_refsource_FEDORA
	https://lists.debian.org/debian-lts-announce/2022/05/msg00035.html	mailing-list, x_refsource_MLIST

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T10:26:16.139Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/3.0/releases/security/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrY"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2020/mar/04/security-releases/"
          },
          {
            "name": "USN-4296-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4296-1/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200327-0004/"
          },
          {
            "name": "GLSA-202004-17",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202004-17"
          },
          {
            "name": "DSA-4705",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4705"
          },
          {
            "name": "FEDORA-2020-c2639662af",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/"
          },
          {
            "name": "FEDORA-2020-2e7d30f7aa",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY/"
          },
          {
            "name": "[debian-lts-announce] 20220526 [SECURITY] [DLA 3024-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00035.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-05-26T12:06:05",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/3.0/releases/security/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrY"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2020/mar/04/security-releases/"
        },
        {
          "name": "USN-4296-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4296-1/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20200327-0004/"
        },
        {
          "name": "GLSA-202004-17",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202004-17"
        },
        {
          "name": "DSA-4705",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4705"
        },
        {
          "name": "FEDORA-2020-c2639662af",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/"
        },
        {
          "name": "FEDORA-2020-2e7d30f7aa",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY/"
        },
        {
          "name": "[debian-lts-announce] 20220526 [SECURITY] [DLA 3024-1] python-django security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00035.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-9402",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.djangoproject.com/en/3.0/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/3.0/releases/security/"
            },
            {
              "name": "https://groups.google.com/forum/#!topic/django-announce/fLUh_pOaKrY",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!topic/django-announce/fLUh_pOaKrY"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2020/mar/04/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2020/mar/04/security-releases/"
            },
            {
              "name": "USN-4296-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4296-1/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20200327-0004/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20200327-0004/"
            },
            {
              "name": "GLSA-202004-17",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202004-17"
            },
            {
              "name": "DSA-4705",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4705"
            },
            {
              "name": "FEDORA-2020-c2639662af",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/"
            },
            {
              "name": "FEDORA-2020-2e7d30f7aa",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY/"
            },
            {
              "name": "[debian-lts-announce] 20220526 [SECURITY] [DLA 3024-1] python-django security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00035.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-9402",
    "datePublished": "2020-03-05T14:49:57",
    "dateReserved": "2020-02-25T00:00:00",
    "dateUpdated": "2024-08-04T10:26:16.139Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2015-5963

Vulnerability from cvelistv5

Published

2015-08-24 14:00

Modified

2024-08-06 07:06

Severity ?

Summary

contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.

References

▼	URL	Tags
	http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html	vendor-advisory, x_refsource_FEDORA
	http://lists.opensuse.org/opensuse-updates/2015-09/msg00026.html	vendor-advisory, x_refsource_SUSE
	http://rhn.redhat.com/errata/RHSA-2015-1894.html	vendor-advisory, x_refsource_REDHAT
	http://www.debian.org/security/2015/dsa-3338	vendor-advisory, x_refsource_DEBIAN
	http://www.securitytracker.com/id/1033318	vdb-entry, x_refsource_SECTRACK
	http://rhn.redhat.com/errata/RHSA-2015-1767.html	vendor-advisory, x_refsource_REDHAT
	http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html	vendor-advisory, x_refsource_SUSE
	http://www.ubuntu.com/usn/USN-2720-1	vendor-advisory, x_refsource_UBUNTU
	http://rhn.redhat.com/errata/RHSA-2015-1766.html	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2015:1876	vendor-advisory, x_refsource_REDHAT
	http://www.securityfocus.com/bid/76428	vdb-entry, x_refsource_BID
	https://www.djangoproject.com/weblog/2015/aug/18/security-releases/	x_refsource_MISC
	http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T07:06:34.935Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "FEDORA-2015-1dd5bc998f",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html"
          },
          {
            "name": "openSUSE-SU-2015:1580",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00026.html"
          },
          {
            "name": "RHSA-2015:1894",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2015-1894.html"
          },
          {
            "name": "DSA-3338",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2015/dsa-3338"
          },
          {
            "name": "1033318",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1033318"
          },
          {
            "name": "RHSA-2015:1767",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2015-1767.html"
          },
          {
            "name": "openSUSE-SU-2015:1598",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
          },
          {
            "name": "USN-2720-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2720-1"
          },
          {
            "name": "RHSA-2015:1766",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2015-1766.html"
          },
          {
            "name": "RHSA-2015:1876",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2015:1876"
          },
          {
            "name": "76428",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/76428"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2015/aug/18/security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-08-18T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-10-02T17:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "FEDORA-2015-1dd5bc998f",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html"
        },
        {
          "name": "openSUSE-SU-2015:1580",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00026.html"
        },
        {
          "name": "RHSA-2015:1894",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2015-1894.html"
        },
        {
          "name": "DSA-3338",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2015/dsa-3338"
        },
        {
          "name": "1033318",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1033318"
        },
        {
          "name": "RHSA-2015:1767",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2015-1767.html"
        },
        {
          "name": "openSUSE-SU-2015:1598",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
        },
        {
          "name": "USN-2720-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2720-1"
        },
        {
          "name": "RHSA-2015:1766",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2015-1766.html"
        },
        {
          "name": "RHSA-2015:1876",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2015:1876"
        },
        {
          "name": "76428",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/76428"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.djangoproject.com/weblog/2015/aug/18/security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-5963",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "FEDORA-2015-1dd5bc998f",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html"
            },
            {
              "name": "openSUSE-SU-2015:1580",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00026.html"
            },
            {
              "name": "RHSA-2015:1894",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2015-1894.html"
            },
            {
              "name": "DSA-3338",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2015/dsa-3338"
            },
            {
              "name": "1033318",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1033318"
            },
            {
              "name": "RHSA-2015:1767",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2015-1767.html"
            },
            {
              "name": "openSUSE-SU-2015:1598",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
            },
            {
              "name": "USN-2720-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2720-1"
            },
            {
              "name": "RHSA-2015:1766",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2015-1766.html"
            },
            {
              "name": "RHSA-2015:1876",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2015:1876"
            },
            {
              "name": "76428",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/76428"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2015/aug/18/security-releases/",
              "refsource": "MISC",
              "url": "https://www.djangoproject.com/weblog/2015/aug/18/security-releases/"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-5963",
    "datePublished": "2015-08-24T14:00:00",
    "dateReserved": "2015-08-07T00:00:00",
    "dateUpdated": "2024-08-06T07:06:34.935Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2019-14232

Vulnerability from cvelistv5

Published

2019-08-02 00:00

Modified

2024-08-05 00:12

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/
	https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs
	https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
	http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html	vendor-advisory
	https://seclists.org/bugtraq/2019/Aug/15	mailing-list
	https://www.debian.org/security/2019/dsa-4498	vendor-advisory
	http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/	vendor-advisory
	https://security.netapp.com/advisory/ntap-20190828-0002/
	https://security.gentoo.org/glsa/202004-17	vendor-advisory
	http://www.openwall.com/lists/oss-security/2023/10/04/6	mailing-list
	http://www.openwall.com/lists/oss-security/2024/03/04/1	mailing-list

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:djangoblog_project:djangoblog:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "djangoblog",
            "vendor": "djangoblog_project",
            "versions": [
              {
                "lessThan": "2.2.4",
                "status": "affected",
                "version": "1.11.23",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2019-14232",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-02T18:04:48.307144Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-400",
                "description": "CWE-400 Uncontrolled Resource Consumption",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:12:01.500Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:12:42.892Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/dev/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/"
          },
          {
            "name": "openSUSE-SU-2019:1839",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"
          },
          {
            "name": "20190812 [SECURITY] [DSA 4498-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Aug/15"
          },
          {
            "name": "DSA-4498",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4498"
          },
          {
            "name": "openSUSE-SU-2019:1872",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
          },
          {
            "name": "FEDORA-2019-647f74ce51",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190828-0002/"
          },
          {
            "name": "GLSA-202004-17",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202004-17"
          },
          {
            "name": "[oss-security] 20231004 Django: CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/10/04/6"
          },
          {
            "name": "[oss-security] 20240304 Django: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/04/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator\u0027s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-01T17:09:49.299848",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "url": "https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/"
        },
        {
          "name": "openSUSE-SU-2019:1839",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"
        },
        {
          "name": "20190812 [SECURITY] [DSA 4498-1] python-django security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://seclists.org/bugtraq/2019/Aug/15"
        },
        {
          "name": "DSA-4498",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4498"
        },
        {
          "name": "openSUSE-SU-2019:1872",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
        },
        {
          "name": "FEDORA-2019-647f74ce51",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20190828-0002/"
        },
        {
          "name": "GLSA-202004-17",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202004-17"
        },
        {
          "name": "[oss-security] 20231004 Django: CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2023/10/04/6"
        },
        {
          "name": "[oss-security] 20240304 Django: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2024/03/04/1"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-14232",
    "datePublished": "2019-08-02T00:00:00",
    "dateReserved": "2019-07-22T00:00:00",
    "dateUpdated": "2024-08-05T00:12:42.892Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2018-7536

Vulnerability from cvelistv5

Published

2018-03-09 00:00

Modified

2024-08-05 06:31

Severity ?

Summary

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.

References

▼	URL	Tags
	https://usn.ubuntu.com/3591-1/	vendor-advisory
	https://access.redhat.com/errata/RHSA-2019:0051	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html	mailing-list
	http://www.securityfocus.com/bid/103361	vdb-entry
	https://www.djangoproject.com/weblog/2018/mar/06/security-releases/
	https://access.redhat.com/errata/RHSA-2019:0082	vendor-advisory
	https://access.redhat.com/errata/RHSA-2018:2927	vendor-advisory
	https://access.redhat.com/errata/RHSA-2019:0265	vendor-advisory
	https://www.debian.org/security/2018/dsa-4161	vendor-advisory
	https://github.com/django/django/commit/1ca63a66ef3163149ad822701273e8a1844192c2
	https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16
	https://github.com/django/django/commit/e157315da3ae7005fa0683ffc9751dbeca7306c8

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:31:04.144Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-3591-1",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3591-1/"
          },
          {
            "name": "RHSA-2019:0051",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0051"
          },
          {
            "name": "[debian-lts-announce] 20180308 [SECURITY] [DLA 1303-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html"
          },
          {
            "name": "103361",
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/103361"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2018/mar/06/security-releases/"
          },
          {
            "name": "RHSA-2019:0082",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0082"
          },
          {
            "name": "RHSA-2018:2927",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2927"
          },
          {
            "name": "RHSA-2019:0265",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0265"
          },
          {
            "name": "DSA-4161",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4161"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/1ca63a66ef3163149ad822701273e8a1844192c2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/e157315da3ae7005fa0683ffc9751dbeca7306c8"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-03-06T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-07T22:05:43.713862",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "USN-3591-1",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://usn.ubuntu.com/3591-1/"
        },
        {
          "name": "RHSA-2019:0051",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0051"
        },
        {
          "name": "[debian-lts-announce] 20180308 [SECURITY] [DLA 1303-1] python-django security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html"
        },
        {
          "name": "103361",
          "tags": [
            "vdb-entry"
          ],
          "url": "http://www.securityfocus.com/bid/103361"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2018/mar/06/security-releases/"
        },
        {
          "name": "RHSA-2019:0082",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0082"
        },
        {
          "name": "RHSA-2018:2927",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2927"
        },
        {
          "name": "RHSA-2019:0265",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0265"
        },
        {
          "name": "DSA-4161",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4161"
        },
        {
          "url": "https://github.com/django/django/commit/1ca63a66ef3163149ad822701273e8a1844192c2"
        },
        {
          "url": "https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16"
        },
        {
          "url": "https://github.com/django/django/commit/e157315da3ae7005fa0683ffc9751dbeca7306c8"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-7536",
    "datePublished": "2018-03-09T00:00:00",
    "dateReserved": "2018-02-26T00:00:00",
    "dateUpdated": "2024-08-05T06:31:04.144Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2013-1443

Vulnerability from cvelistv5

Published

2013-09-23 20:00

Modified

2024-08-06 15:04

Severity ?

Summary

The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.

References

▼	URL	Tags
	http://www.debian.org/security/2013/dsa-2758	vendor-advisory, x_refsource_DEBIAN
	http://python.6.x6.nabble.com/Set-a-reasonable-upper-bound-on-password-length-td5032218.html	mailing-list, x_refsource_MLIST
	http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html	vendor-advisory, x_refsource_SUSE
	https://www.djangoproject.com/weblog/2013/sep/15/security/	x_refsource_CONFIRM
	http://lists.opensuse.org/opensuse-updates/2013-11/msg00035.html	vendor-advisory, x_refsource_SUSE

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T15:04:48.781Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "DSA-2758",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2013/dsa-2758"
          },
          {
            "name": "[django-developers] 20130914 Set a reasonable upper bound on password length",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://python.6.x6.nabble.com/Set-a-reasonable-upper-bound-on-password-length-td5032218.html"
          },
          {
            "name": "openSUSE-SU-2013:1541",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2013/sep/15/security/"
          },
          {
            "name": "openSUSE-SU-2013:1685",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00035.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2013-09-14T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2014-01-23T14:57:01",
        "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
        "shortName": "debian"
      },
      "references": [
        {
          "name": "DSA-2758",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2013/dsa-2758"
        },
        {
          "name": "[django-developers] 20130914 Set a reasonable upper bound on password length",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://python.6.x6.nabble.com/Set-a-reasonable-upper-bound-on-password-length-td5032218.html"
        },
        {
          "name": "openSUSE-SU-2013:1541",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2013/sep/15/security/"
        },
        {
          "name": "openSUSE-SU-2013:1685",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00035.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@debian.org",
          "ID": "CVE-2013-1443",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "DSA-2758",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2013/dsa-2758"
            },
            {
              "name": "[django-developers] 20130914 Set a reasonable upper bound on password length",
              "refsource": "MLIST",
              "url": "http://python.6.x6.nabble.com/Set-a-reasonable-upper-bound-on-password-length-td5032218.html"
            },
            {
              "name": "openSUSE-SU-2013:1541",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2013/sep/15/security/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2013/sep/15/security/"
            },
            {
              "name": "openSUSE-SU-2013:1685",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00035.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
    "assignerShortName": "debian",
    "cveId": "CVE-2013-1443",
    "datePublished": "2013-09-23T20:00:00",
    "dateReserved": "2013-01-26T00:00:00",
    "dateUpdated": "2024-08-06T15:04:48.781Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-56374

Vulnerability from cvelistv5

Published

2025-01-14 00:00

Modified

2025-02-12 20:31

Severity ?

5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

Summary

An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/
	https://groups.google.com/g/django-announce
	https://www.djangoproject.com/weblog/2025/jan/14/security-releases/

Impacted products

▼	Vendor	Product
	djangoproject	Django

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-01-23T18:03:28.376Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/01/14/2"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00024.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-56374",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-15T19:40:35.398718Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T20:31:20.698Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Django",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "4.2.18",
              "status": "affected",
              "version": "4.2",
              "versionType": "custom"
            },
            {
              "lessThan": "5.0.11",
              "status": "affected",
              "version": "5.0",
              "versionType": "custom"
            },
            {
              "lessThan": "5.1.5",
              "status": "affected",
              "version": "5.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.2.18",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.0.11",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.1.5",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-14T19:07:03.855Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2025/jan/14/security-releases/"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-56374",
    "datePublished": "2025-01-14T00:00:00.000Z",
    "dateReserved": "2024-12-22T00:00:00.000Z",
    "dateUpdated": "2025-02-12T20:31:20.698Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2009-3695

Vulnerability from cvelistv5

Published

2009-10-13 10:00

Modified

2024-08-07 06:38

Severity ?

Summary

Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/36655	vdb-entry, x_refsource_BID
	https://exchange.xforce.ibmcloud.com/vulnerabilities/53727	vdb-entry, x_refsource_XF
	http://www.djangoproject.com/weblog/2009/oct/09/security/	x_refsource_CONFIRM
	http://secunia.com/advisories/36948	third-party-advisory, x_refsource_SECUNIA
	http://secunia.com/advisories/36968	third-party-advisory, x_refsource_SECUNIA
	http://www.debian.org/security/2009/dsa-1905	vendor-advisory, x_refsource_DEBIAN
	http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/	x_refsource_MISC
	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2009/10/13/6	mailing-list, x_refsource_MLIST
	http://www.vupen.com/english/advisories/2009/2871	vdb-entry, x_refsource_VUPEN

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T06:38:30.278Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "36655",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/36655"
          },
          {
            "name": "django-emailfield-urlfield-dos(53727)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53727"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.djangoproject.com/weblog/2009/oct/09/security/"
          },
          {
            "name": "36948",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/36948"
          },
          {
            "name": "36968",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/36968"
          },
          {
            "name": "DSA-1905",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2009/dsa-1905"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457"
          },
          {
            "name": "[oss-security] 20091013 Re: Duplicate CVE assignment notification [was: CVE id request: django]",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2009/10/13/6"
          },
          {
            "name": "ADV-2009-2871",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2009/2871"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2009-10-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-16T14:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "36655",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/36655"
        },
        {
          "name": "django-emailfield-urlfield-dos(53727)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53727"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.djangoproject.com/weblog/2009/oct/09/security/"
        },
        {
          "name": "36948",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/36948"
        },
        {
          "name": "36968",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/36968"
        },
        {
          "name": "DSA-1905",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2009/dsa-1905"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457"
        },
        {
          "name": "[oss-security] 20091013 Re: Duplicate CVE assignment notification [was: CVE id request: django]",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2009/10/13/6"
        },
        {
          "name": "ADV-2009-2871",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2009/2871"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2009-3695",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "36655",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/36655"
            },
            {
              "name": "django-emailfield-urlfield-dos(53727)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53727"
            },
            {
              "name": "http://www.djangoproject.com/weblog/2009/oct/09/security/",
              "refsource": "CONFIRM",
              "url": "http://www.djangoproject.com/weblog/2009/oct/09/security/"
            },
            {
              "name": "36948",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/36948"
            },
            {
              "name": "36968",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/36968"
            },
            {
              "name": "DSA-1905",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2009/dsa-1905"
            },
            {
              "name": "http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/",
              "refsource": "MISC",
              "url": "http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/"
            },
            {
              "name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457",
              "refsource": "CONFIRM",
              "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457"
            },
            {
              "name": "[oss-security] 20091013 Re: Duplicate CVE assignment notification [was: CVE id request: django]",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2009/10/13/6"
            },
            {
              "name": "ADV-2009-2871",
              "refsource": "VUPEN",
              "url": "http://www.vupen.com/english/advisories/2009/2871"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2009-3695",
    "datePublished": "2009-10-13T10:00:00",
    "dateReserved": "2009-10-13T00:00:00",
    "dateUpdated": "2024-08-07T06:38:30.278Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2014-3730

Vulnerability from cvelistv5

Published

2014-05-16 15:00

Modified

2024-08-06 10:50

Severity ?

Summary

The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com."

References

▼	URL	Tags
	http://secunia.com/advisories/61281	third-party-advisory, x_refsource_SECUNIA
	http://www.debian.org/security/2014/dsa-2934	vendor-advisory, x_refsource_DEBIAN
	http://ubuntu.com/usn/usn-2212-1	vendor-advisory, x_refsource_UBUNTU
	http://www.securityfocus.com/bid/67410	vdb-entry, x_refsource_BID
	http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html	vendor-advisory, x_refsource_SUSE
	http://www.openwall.com/lists/oss-security/2014/05/15/3	mailing-list, x_refsource_MLIST
	https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2014/05/14/10	mailing-list, x_refsource_MLIST

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T10:50:18.338Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "61281",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/61281"
          },
          {
            "name": "DSA-2934",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2014/dsa-2934"
          },
          {
            "name": "USN-2212-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://ubuntu.com/usn/usn-2212-1"
          },
          {
            "name": "67410",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/67410"
          },
          {
            "name": "openSUSE-SU-2014:1132",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
          },
          {
            "name": "[oss-security] 20140514 Re: CVE Reuest: Django: Malformed URLs from user input incorrectly validated",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2014/05/15/3"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/"
          },
          {
            "name": "[oss-security] 20140514 CVE Reuest: Django: Malformed URLs from user input incorrectly validated",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2014/05/14/10"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-05-14T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by \"http:\\\\\\djangoproject.com.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-01-04T17:57:01",
        "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
        "shortName": "debian"
      },
      "references": [
        {
          "name": "61281",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/61281"
        },
        {
          "name": "DSA-2934",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2014/dsa-2934"
        },
        {
          "name": "USN-2212-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://ubuntu.com/usn/usn-2212-1"
        },
        {
          "name": "67410",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/67410"
        },
        {
          "name": "openSUSE-SU-2014:1132",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
        },
        {
          "name": "[oss-security] 20140514 Re: CVE Reuest: Django: Malformed URLs from user input incorrectly validated",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2014/05/15/3"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/"
        },
        {
          "name": "[oss-security] 20140514 CVE Reuest: Django: Malformed URLs from user input incorrectly validated",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2014/05/14/10"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@debian.org",
          "ID": "CVE-2014-3730",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by \"http:\\\\\\djangoproject.com.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "61281",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/61281"
            },
            {
              "name": "DSA-2934",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2014/dsa-2934"
            },
            {
              "name": "USN-2212-1",
              "refsource": "UBUNTU",
              "url": "http://ubuntu.com/usn/usn-2212-1"
            },
            {
              "name": "67410",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/67410"
            },
            {
              "name": "openSUSE-SU-2014:1132",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
            },
            {
              "name": "[oss-security] 20140514 Re: CVE Reuest: Django: Malformed URLs from user input incorrectly validated",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2014/05/15/3"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/"
            },
            {
              "name": "[oss-security] 20140514 CVE Reuest: Django: Malformed URLs from user input incorrectly validated",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2014/05/14/10"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
    "assignerShortName": "debian",
    "cveId": "CVE-2014-3730",
    "datePublished": "2014-05-16T15:00:00",
    "dateReserved": "2014-05-14T00:00:00",
    "dateUpdated": "2024-08-06T10:50:18.338Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-41990

Vulnerability from cvelistv5

Published

2024-08-07 00:00

Modified

2024-09-18 14:57

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/
	https://groups.google.com/forum/#%21forum/django-announce
	https://www.djangoproject.com/weblog/2024/aug/06/security-releases/

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "django",
            "vendor": "djangoproject",
            "versions": [
              {
                "lessThan": "4.2.15",
                "status": "affected",
                "version": "4.2",
                "versionType": "custom"
              },
              {
                "lessThan": "5.0.8",
                "status": "affected",
                "version": "5.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "django",
            "vendor": "djangoproject",
            "versions": [
              {
                "lessThan": "pkg:pypi/django@4.2.15",
                "status": "affected",
                "version": "pkg:pypi/django@4.2",
                "versionType": "custom"
              },
              {
                "lessThan": "pkg:pypi/django@5.0.8",
                "status": "affected",
                "version": "pkg:pypi/django@5.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-41990",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-07T15:20:51.732074Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-130",
                "description": "CWE-130 Improper Handling of Length Parameter Inconsistency",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-18T14:57:21.043Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-07T14:11:45.667382",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2024/aug/06/security-releases/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-41990",
    "datePublished": "2024-08-07T00:00:00",
    "dateReserved": "2024-07-25T00:00:00",
    "dateUpdated": "2024-09-18T14:57:21.043Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2010-4535

Vulnerability from cvelistv5

Published

2011-01-10 19:18

Modified

2024-08-07 03:51

Severity ?

Summary

The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.

References

▼	URL	Tags
	http://code.djangoproject.com/changeset/15032	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2010/12/23/4	mailing-list, x_refsource_MLIST
	http://www.ubuntu.com/usn/USN-1040-1	vendor-advisory, x_refsource_UBUNTU
	http://www.securityfocus.com/bid/45563	vdb-entry, x_refsource_BID
	http://www.openwall.com/lists/oss-security/2011/01/03/5	mailing-list, x_refsource_MLIST
	http://secunia.com/advisories/42913	third-party-advisory, x_refsource_SECUNIA
	http://www.vupen.com/english/advisories/2011/0048	vdb-entry, x_refsource_VUPEN
	http://www.vupen.com/english/advisories/2011/0098	vdb-entry, x_refsource_VUPEN
	http://www.djangoproject.com/weblog/2010/dec/22/security/	x_refsource_CONFIRM
	http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053041.html	vendor-advisory, x_refsource_FEDORA
	https://bugzilla.redhat.com/show_bug.cgi?id=665373	x_refsource_CONFIRM
	http://secunia.com/advisories/42715	third-party-advisory, x_refsource_SECUNIA
	http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053072.html	vendor-advisory, x_refsource_FEDORA
	http://secunia.com/advisories/42827	third-party-advisory, x_refsource_SECUNIA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T03:51:17.300Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://code.djangoproject.com/changeset/15032"
          },
          {
            "name": "[oss-security] 20101223 CVE Request -- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 -- addressing two security flaws",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2010/12/23/4"
          },
          {
            "name": "USN-1040-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-1040-1"
          },
          {
            "name": "45563",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/45563"
          },
          {
            "name": "[oss-security] 20110103 Re: CVE Request -- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 -- addressing two security flaws",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2011/01/03/5"
          },
          {
            "name": "42913",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/42913"
          },
          {
            "name": "ADV-2011-0048",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/0048"
          },
          {
            "name": "ADV-2011-0098",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/0098"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.djangoproject.com/weblog/2010/dec/22/security/"
          },
          {
            "name": "FEDORA-2011-0096",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053041.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=665373"
          },
          {
            "name": "42715",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/42715"
          },
          {
            "name": "FEDORA-2011-0120",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053072.html"
          },
          {
            "name": "42827",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/42827"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2010-12-22T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2011-01-19T10:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://code.djangoproject.com/changeset/15032"
        },
        {
          "name": "[oss-security] 20101223 CVE Request -- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 -- addressing two security flaws",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2010/12/23/4"
        },
        {
          "name": "USN-1040-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-1040-1"
        },
        {
          "name": "45563",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/45563"
        },
        {
          "name": "[oss-security] 20110103 Re: CVE Request -- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 -- addressing two security flaws",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2011/01/03/5"
        },
        {
          "name": "42913",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/42913"
        },
        {
          "name": "ADV-2011-0048",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/0048"
        },
        {
          "name": "ADV-2011-0098",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/0098"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.djangoproject.com/weblog/2010/dec/22/security/"
        },
        {
          "name": "FEDORA-2011-0096",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053041.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=665373"
        },
        {
          "name": "42715",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/42715"
        },
        {
          "name": "FEDORA-2011-0120",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053072.html"
        },
        {
          "name": "42827",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/42827"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2010-4535",
    "datePublished": "2011-01-10T19:18:00",
    "dateReserved": "2010-12-09T00:00:00",
    "dateUpdated": "2024-08-07T03:51:17.300Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2020-7471

Vulnerability from cvelistv5

Published

2020-02-03 11:59

Modified

2024-08-04 09:33

Severity ?

Summary

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21topic/django-announce/X45S86X5bZI	x_refsource_CONFIRM
	https://docs.djangoproject.com/en/3.0/releases/security/	x_refsource_CONFIRM
	https://www.openwall.com/lists/oss-security/2020/02/03/1	x_refsource_CONFIRM
	https://www.djangoproject.com/weblog/2020/feb/03/security-releases/	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2020/02/03/1	mailing-list, x_refsource_MLIST
	https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136	x_refsource_CONFIRM
	https://usn.ubuntu.com/4264-1/	vendor-advisory, x_refsource_UBUNTU
	https://seclists.org/bugtraq/2020/Feb/30	mailing-list, x_refsource_BUGTRAQ
	https://www.debian.org/security/2020/dsa-4629	vendor-advisory, x_refsource_DEBIAN
	https://security.netapp.com/advisory/ntap-20200221-0006/	x_refsource_CONFIRM
	https://security.gentoo.org/glsa/202004-17	vendor-advisory, x_refsource_GENTOO
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/	vendor-advisory, x_refsource_FEDORA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:33:19.635Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/django-announce/X45S86X5bZI"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/3.0/releases/security/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2020/02/03/1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2020/feb/03/security-releases/"
          },
          {
            "name": "[oss-security] 20200203 Django 3.0.3, 2.2.10 and 1.11.28: CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2020/02/03/1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136"
          },
          {
            "name": "USN-4264-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4264-1/"
          },
          {
            "name": "20200219 [SECURITY] [DSA 4629-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2020/Feb/30"
          },
          {
            "name": "DSA-4629",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4629"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200221-0006/"
          },
          {
            "name": "GLSA-202004-17",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202004-17"
          },
          {
            "name": "FEDORA-2020-c2639662af",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-06-19T02:06:18",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://groups.google.com/forum/#%21topic/django-announce/X45S86X5bZI"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://docs.djangoproject.com/en/3.0/releases/security/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.openwall.com/lists/oss-security/2020/02/03/1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2020/feb/03/security-releases/"
        },
        {
          "name": "[oss-security] 20200203 Django 3.0.3, 2.2.10 and 1.11.28: CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2020/02/03/1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136"
        },
        {
          "name": "USN-4264-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4264-1/"
        },
        {
          "name": "20200219 [SECURITY] [DSA 4629-1] python-django security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2020/Feb/30"
        },
        {
          "name": "DSA-4629",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4629"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20200221-0006/"
        },
        {
          "name": "GLSA-202004-17",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202004-17"
        },
        {
          "name": "FEDORA-2020-c2639662af",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-7471",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/forum/#!topic/django-announce/X45S86X5bZI",
              "refsource": "CONFIRM",
              "url": "https://groups.google.com/forum/#!topic/django-announce/X45S86X5bZI"
            },
            {
              "name": "https://docs.djangoproject.com/en/3.0/releases/security/",
              "refsource": "CONFIRM",
              "url": "https://docs.djangoproject.com/en/3.0/releases/security/"
            },
            {
              "name": "https://www.openwall.com/lists/oss-security/2020/02/03/1",
              "refsource": "CONFIRM",
              "url": "https://www.openwall.com/lists/oss-security/2020/02/03/1"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2020/feb/03/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2020/feb/03/security-releases/"
            },
            {
              "name": "[oss-security] 20200203 Django 3.0.3, 2.2.10 and 1.11.28: CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2020/02/03/1"
            },
            {
              "name": "https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136",
              "refsource": "CONFIRM",
              "url": "https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136"
            },
            {
              "name": "USN-4264-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4264-1/"
            },
            {
              "name": "20200219 [SECURITY] [DSA 4629-1] python-django security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2020/Feb/30"
            },
            {
              "name": "DSA-4629",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4629"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20200221-0006/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20200221-0006/"
            },
            {
              "name": "GLSA-202004-17",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202004-17"
            },
            {
              "name": "FEDORA-2020-c2639662af",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-7471",
    "datePublished": "2020-02-03T11:59:20",
    "dateReserved": "2020-01-21T00:00:00",
    "dateUpdated": "2024-08-04T09:33:19.635Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2025-27556

Vulnerability from cvelistv5

Published

2025-04-02 00:00

Modified

2025-04-02 22:03

Severity ?

5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

Summary

An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/
	https://groups.google.com/g/django-announce
	https://www.djangoproject.com/weblog/2025/apr/02/security-releases/

Impacted products

▼	Vendor	Product
	djangoproject	Django

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27556",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-02T13:21:14.015825Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-02T13:27:54.960Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-04-02T22:03:22.423Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/04/02/2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Django",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "5.0.14",
              "status": "affected",
              "version": "5.0",
              "versionType": "custom"
            },
            {
              "lessThan": "5.1.8",
              "status": "affected",
              "version": "5.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.0.14",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.1.8",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-02T12:37:20.419Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2025/apr/02/security-releases/"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-27556",
    "datePublished": "2025-04-02T00:00:00.000Z",
    "dateReserved": "2025-03-02T00:00:00.000Z",
    "dateUpdated": "2025-04-02T22:03:22.423Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2013-0306

Vulnerability from cvelistv5

Published

2013-05-02 14:00

Modified

2024-08-06 14:25

Severity ?

Summary

The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter.

References

▼	URL	Tags
	https://www.djangoproject.com/weblog/2013/feb/19/security/	x_refsource_CONFIRM
	http://ubuntu.com/usn/usn-1757-1	vendor-advisory, x_refsource_UBUNTU
	http://www.debian.org/security/2013/dsa-2634	vendor-advisory, x_refsource_DEBIAN
	http://rhn.redhat.com/errata/RHSA-2013-0670.html	vendor-advisory, x_refsource_REDHAT

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T14:25:08.778Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2013/feb/19/security/"
          },
          {
            "name": "USN-1757-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://ubuntu.com/usn/usn-1757-1"
          },
          {
            "name": "DSA-2634",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2013/dsa-2634"
          },
          {
            "name": "RHSA-2013:0670",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2013-02-19T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2013-05-15T09:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2013/feb/19/security/"
        },
        {
          "name": "USN-1757-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://ubuntu.com/usn/usn-1757-1"
        },
        {
          "name": "DSA-2634",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2013/dsa-2634"
        },
        {
          "name": "RHSA-2013:0670",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2013-0306",
    "datePublished": "2013-05-02T14:00:00",
    "dateReserved": "2012-12-06T00:00:00",
    "dateUpdated": "2024-08-06T14:25:08.778Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-31047

Vulnerability from cvelistv5

Published

2023-05-07 00:00

Modified

2025-01-29 15:51

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.2/releases/security/
	https://www.djangoproject.com/weblog/2023/may/03/security-releases/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/	vendor-advisory
	https://security.netapp.com/advisory/ntap-20230609-0008/

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T14:45:25.559Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.2/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2023/may/03/security-releases/"
          },
          {
            "name": "FEDORA-2023-0d20d09f2d",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/"
          },
          {
            "name": "FEDORA-2023-8f9d949dbc",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230609-0008/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-31047",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-29T15:49:48.792800Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-862",
                "description": "CWE-862 Missing Authorization",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-29T15:51:24.644Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django\u0027s \"Uploading multiple files\" documentation suggested otherwise."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-09T00:00:00.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.2/releases/security/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2023/may/03/security-releases/"
        },
        {
          "name": "FEDORA-2023-0d20d09f2d",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/"
        },
        {
          "name": "FEDORA-2023-8f9d949dbc",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230609-0008/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-31047",
    "datePublished": "2023-05-07T00:00:00.000Z",
    "dateReserved": "2023-04-24T00:00:00.000Z",
    "dateUpdated": "2025-01-29T15:51:24.644Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2016-9014

Vulnerability from cvelistv5

Published

2016-12-09 20:00

Modified

2024-08-06 02:35

Severity ?

Summary

Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.

References

▼	URL	Tags
	https://www.djangoproject.com/weblog/2016/nov/01/security-releases/	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/	vendor-advisory, x_refsource_FEDORA
	http://www.securityfocus.com/bid/94068	vdb-entry, x_refsource_BID
	http://www.debian.org/security/2017/dsa-3835	vendor-advisory, x_refsource_DEBIAN
	http://www.ubuntu.com/usn/USN-3115-1	vendor-advisory, x_refsource_UBUNTU
	http://www.securitytracker.com/id/1037159	vdb-entry, x_refsource_SECTRACK
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/	vendor-advisory, x_refsource_FEDORA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T02:35:02.332Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2016/nov/01/security-releases/"
          },
          {
            "name": "FEDORA-2016-d4571bf555",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/"
          },
          {
            "name": "94068",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/94068"
          },
          {
            "name": "DSA-3835",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2017/dsa-3835"
          },
          {
            "name": "USN-3115-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-3115-1"
          },
          {
            "name": "1037159",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1037159"
          },
          {
            "name": "FEDORA-2016-3eb5a55123",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-11-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-11-03T18:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2016/nov/01/security-releases/"
        },
        {
          "name": "FEDORA-2016-d4571bf555",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/"
        },
        {
          "name": "94068",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/94068"
        },
        {
          "name": "DSA-3835",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2017/dsa-3835"
        },
        {
          "name": "USN-3115-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-3115-1"
        },
        {
          "name": "1037159",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1037159"
        },
        {
          "name": "FEDORA-2016-3eb5a55123",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-9014",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.djangoproject.com/weblog/2016/nov/01/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2016/nov/01/security-releases/"
            },
            {
              "name": "FEDORA-2016-d4571bf555",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/"
            },
            {
              "name": "94068",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/94068"
            },
            {
              "name": "DSA-3835",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2017/dsa-3835"
            },
            {
              "name": "USN-3115-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-3115-1"
            },
            {
              "name": "1037159",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1037159"
            },
            {
              "name": "FEDORA-2016-3eb5a55123",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2016-9014",
    "datePublished": "2016-12-09T20:00:00",
    "dateReserved": "2016-10-25T00:00:00",
    "dateUpdated": "2024-08-06T02:35:02.332Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2019-19118

Vulnerability from cvelistv5

Published

2019-12-02 13:16

Modified

2024-08-05 02:09

Severity ?

Summary

Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2019/12/02/1	mailing-list, x_refsource_MLIST
	https://groups.google.com/forum/#%21topic/django-announce/GjGqDvtNmWQ	x_refsource_MISC
	https://www.djangoproject.com/weblog/2019/dec/02/security-releases/	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-20191217-0003/	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5/	vendor-advisory, x_refsource_FEDORA
	https://security.gentoo.org/glsa/202004-17	vendor-advisory, x_refsource_GENTOO

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T02:09:39.366Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/dev/releases/security/"
          },
          {
            "name": "[oss-security] 20191202 Django 2.2.8 and 2.1.15: CVE-2019-19118: Privilege escalation in the Django admin.",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2019/12/02/1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/django-announce/GjGqDvtNmWQ"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2019/dec/02/security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20191217-0003/"
          },
          {
            "name": "FEDORA-2019-adc8990386",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5/"
          },
          {
            "name": "GLSA-202004-17",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202004-17"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model\u0027s save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-05-01T01:06:12",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "[oss-security] 20191202 Django 2.2.8 and 2.1.15: CVE-2019-19118: Privilege escalation in the Django admin.",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2019/12/02/1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21topic/django-announce/GjGqDvtNmWQ"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2019/dec/02/security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20191217-0003/"
        },
        {
          "name": "FEDORA-2019-adc8990386",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5/"
        },
        {
          "name": "GLSA-202004-17",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202004-17"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-19118",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model\u0027s save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.djangoproject.com/en/dev/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "[oss-security] 20191202 Django 2.2.8 and 2.1.15: CVE-2019-19118: Privilege escalation in the Django admin.",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2019/12/02/1"
            },
            {
              "name": "https://groups.google.com/forum/#!topic/django-announce/GjGqDvtNmWQ",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!topic/django-announce/GjGqDvtNmWQ"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2019/dec/02/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2019/dec/02/security-releases/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20191217-0003/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20191217-0003/"
            },
            {
              "name": "FEDORA-2019-adc8990386",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5/"
            },
            {
              "name": "GLSA-202004-17",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202004-17"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-19118",
    "datePublished": "2019-12-02T13:16:34",
    "dateReserved": "2019-11-19T00:00:00",
    "dateUpdated": "2024-08-05T02:09:39.366Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-44420

Vulnerability from cvelistv5

Published

2021-12-07 22:55

Modified

2024-08-04 04:17

Severity ?

Summary

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce	x_refsource_MISC
	https://docs.djangoproject.com/en/3.2/releases/security/	x_refsource_MISC
	https://www.openwall.com/lists/oss-security/2021/12/07/1	x_refsource_CONFIRM
	https://www.djangoproject.com/weblog/2021/dec/07/security-releases/	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-20211229-0006/	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/	vendor-advisory, x_refsource_FEDORA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:17:25.193Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/3.2/releases/security/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2021/12/07/1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2021/dec/07/security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20211229-0006/"
          },
          {
            "name": "FEDORA-2022-e7fd530688",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-11T02:06:38",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/3.2/releases/security/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.openwall.com/lists/oss-security/2021/12/07/1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2021/dec/07/security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20211229-0006/"
        },
        {
          "name": "FEDORA-2022-e7fd530688",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-44420",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/forum/#!forum/django-announce",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!forum/django-announce"
            },
            {
              "name": "https://docs.djangoproject.com/en/3.2/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/3.2/releases/security/"
            },
            {
              "name": "https://www.openwall.com/lists/oss-security/2021/12/07/1",
              "refsource": "CONFIRM",
              "url": "https://www.openwall.com/lists/oss-security/2021/12/07/1"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2021/dec/07/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2021/dec/07/security-releases/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20211229-0006/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20211229-0006/"
            },
            {
              "name": "FEDORA-2022-e7fd530688",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-44420",
    "datePublished": "2021-12-07T22:55:40",
    "dateReserved": "2021-11-29T00:00:00",
    "dateUpdated": "2024-08-04T04:17:25.193Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-28658

Vulnerability from cvelistv5

Published

2021-04-06 14:51

Modified

2024-08-03 21:47

Severity ?

Summary

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

References

▼	URL	Tags
	https://docs.djangoproject.com/en/3.1/releases/security/	x_refsource_MISC
	https://groups.google.com/g/django-announce/c/ePr5j-ngdPU	x_refsource_MISC
	https://www.djangoproject.com/weblog/2021/apr/06/security-releases/	x_refsource_CONFIRM
	https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html	mailing-list, x_refsource_MLIST
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/	vendor-advisory, x_refsource_FEDORA
	https://security.netapp.com/advisory/ntap-20210528-0001/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:47:33.200Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/3.1/releases/security/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/django-announce/c/ePr5j-ngdPU"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2021/apr/06/security-releases/"
          },
          {
            "name": "[debian-lts-announce] 20210409 [SECURITY] [DLA 2622-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html"
          },
          {
            "name": "FEDORA-2021-01044b8a59",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210528-0001/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-05-28T09:06:11",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/3.1/releases/security/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/g/django-announce/c/ePr5j-ngdPU"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2021/apr/06/security-releases/"
        },
        {
          "name": "[debian-lts-announce] 20210409 [SECURITY] [DLA 2622-1] python-django security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html"
        },
        {
          "name": "FEDORA-2021-01044b8a59",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210528-0001/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-28658",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.djangoproject.com/en/3.1/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/3.1/releases/security/"
            },
            {
              "name": "https://groups.google.com/g/django-announce/c/ePr5j-ngdPU",
              "refsource": "MISC",
              "url": "https://groups.google.com/g/django-announce/c/ePr5j-ngdPU"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2021/apr/06/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2021/apr/06/security-releases/"
            },
            {
              "name": "[debian-lts-announce] 20210409 [SECURITY] [DLA 2622-1] python-django security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html"
            },
            {
              "name": "FEDORA-2021-01044b8a59",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210528-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210528-0001/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-28658",
    "datePublished": "2021-04-06T14:51:43",
    "dateReserved": "2021-03-17T00:00:00",
    "dateUpdated": "2024-08-03T21:47:33.200Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2015-5144

Vulnerability from cvelistv5

Published

2015-07-14 17:00

Modified

2024-08-06 06:32

Severity ?

Summary

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.

References

▼	URL	Tags
	http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html	vendor-advisory, x_refsource_FEDORA
	https://security.gentoo.org/glsa/201510-06	vendor-advisory, x_refsource_GENTOO
	https://www.djangoproject.com/weblog/2015/jul/08/security-releases/	x_refsource_CONFIRM
	http://lists.opensuse.org/opensuse-updates/2015-10/msg00043.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-updates/2015-10/msg00046.html	vendor-advisory, x_refsource_SUSE
	http://www.debian.org/security/2015/dsa-3305	vendor-advisory, x_refsource_DEBIAN
	http://www.securityfocus.com/bid/75665	vdb-entry, x_refsource_BID
	http://www.ubuntu.com/usn/USN-2671-1	vendor-advisory, x_refsource_UBUNTU
	http://www.securitytracker.com/id/1032820	vdb-entry, x_refsource_SECTRACK
	http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:32:32.919Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "FEDORA-2015-1dd5bc998f",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html"
          },
          {
            "name": "GLSA-201510-06",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201510-06"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2015/jul/08/security-releases/"
          },
          {
            "name": "openSUSE-SU-2015:1802",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00043.html"
          },
          {
            "name": "openSUSE-SU-2015:1813",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00046.html"
          },
          {
            "name": "DSA-3305",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2015/dsa-3305"
          },
          {
            "name": "75665",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/75665"
          },
          {
            "name": "USN-2671-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2671-1"
          },
          {
            "name": "1032820",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1032820"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-07-08T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-21T09:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "FEDORA-2015-1dd5bc998f",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html"
        },
        {
          "name": "GLSA-201510-06",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201510-06"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2015/jul/08/security-releases/"
        },
        {
          "name": "openSUSE-SU-2015:1802",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00043.html"
        },
        {
          "name": "openSUSE-SU-2015:1813",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00046.html"
        },
        {
          "name": "DSA-3305",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2015/dsa-3305"
        },
        {
          "name": "75665",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/75665"
        },
        {
          "name": "USN-2671-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2671-1"
        },
        {
          "name": "1032820",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1032820"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-5144",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "FEDORA-2015-1dd5bc998f",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html"
            },
            {
              "name": "GLSA-201510-06",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201510-06"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2015/jul/08/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2015/jul/08/security-releases/"
            },
            {
              "name": "openSUSE-SU-2015:1802",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00043.html"
            },
            {
              "name": "openSUSE-SU-2015:1813",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00046.html"
            },
            {
              "name": "DSA-3305",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2015/dsa-3305"
            },
            {
              "name": "75665",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/75665"
            },
            {
              "name": "USN-2671-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2671-1"
            },
            {
              "name": "1032820",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1032820"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-5144",
    "datePublished": "2015-07-14T17:00:00",
    "dateReserved": "2015-06-29T00:00:00",
    "dateUpdated": "2024-08-06T06:32:32.919Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2014-0473

Vulnerability from cvelistv5

Published

2014-04-23 14:00

Modified

2024-08-06 09:20

Severity ?

Summary

The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.

References

▼	URL	Tags
	http://www.ubuntu.com/usn/USN-2169-1	vendor-advisory, x_refsource_UBUNTU
	https://www.djangoproject.com/weblog/2014/apr/21/security/	x_refsource_CONFIRM
	http://rhn.redhat.com/errata/RHSA-2014-0457.html	vendor-advisory, x_refsource_REDHAT
	http://secunia.com/advisories/61281	third-party-advisory, x_refsource_SECUNIA
	http://www.debian.org/security/2014/dsa-2934	vendor-advisory, x_refsource_DEBIAN
	http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html	vendor-advisory, x_refsource_SUSE
	http://rhn.redhat.com/errata/RHSA-2014-0456.html	vendor-advisory, x_refsource_REDHAT

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T09:20:18.401Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-2169-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2169-1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2014/apr/21/security/"
          },
          {
            "name": "RHSA-2014:0457",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html"
          },
          {
            "name": "61281",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/61281"
          },
          {
            "name": "DSA-2934",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2014/dsa-2934"
          },
          {
            "name": "openSUSE-SU-2014:1132",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
          },
          {
            "name": "RHSA-2014:0456",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0456.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-04-21T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-01-04T17:57:01",
        "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
        "shortName": "debian"
      },
      "references": [
        {
          "name": "USN-2169-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2169-1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2014/apr/21/security/"
        },
        {
          "name": "RHSA-2014:0457",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html"
        },
        {
          "name": "61281",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/61281"
        },
        {
          "name": "DSA-2934",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2014/dsa-2934"
        },
        {
          "name": "openSUSE-SU-2014:1132",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
        },
        {
          "name": "RHSA-2014:0456",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2014-0456.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@debian.org",
          "ID": "CVE-2014-0473",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-2169-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2169-1"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2014/apr/21/security/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2014/apr/21/security/"
            },
            {
              "name": "RHSA-2014:0457",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html"
            },
            {
              "name": "61281",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/61281"
            },
            {
              "name": "DSA-2934",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2014/dsa-2934"
            },
            {
              "name": "openSUSE-SU-2014:1132",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
            },
            {
              "name": "RHSA-2014:0456",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0456.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
    "assignerShortName": "debian",
    "cveId": "CVE-2014-0473",
    "datePublished": "2014-04-23T14:00:00",
    "dateReserved": "2013-12-19T00:00:00",
    "dateUpdated": "2024-08-06T09:20:18.401Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2019-14233

Vulnerability from cvelistv5

Published

2019-08-02 14:31

Modified

2024-08-05 00:12

Severity ?

Summary

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/	x_refsource_MISC
	https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs	x_refsource_MISC
	https://www.djangoproject.com/weblog/2019/aug/01/security-releases/	x_refsource_CONFIRM
	http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html	vendor-advisory, x_refsource_SUSE
	https://seclists.org/bugtraq/2019/Aug/15	mailing-list, x_refsource_BUGTRAQ
	https://www.debian.org/security/2019/dsa-4498	vendor-advisory, x_refsource_DEBIAN
	http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html	vendor-advisory, x_refsource_SUSE
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/	vendor-advisory, x_refsource_FEDORA
	https://security.netapp.com/advisory/ntap-20190828-0002/	x_refsource_CONFIRM
	https://security.gentoo.org/glsa/202004-17	vendor-advisory, x_refsource_GENTOO

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:12:42.524Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/dev/releases/security/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/"
          },
          {
            "name": "openSUSE-SU-2019:1839",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"
          },
          {
            "name": "20190812 [SECURITY] [DSA 4498-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Aug/15"
          },
          {
            "name": "DSA-4498",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4498"
          },
          {
            "name": "openSUSE-SU-2019:1872",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
          },
          {
            "name": "FEDORA-2019-647f74ce51",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190828-0002/"
          },
          {
            "name": "GLSA-202004-17",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202004-17"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-05-01T01:06:14",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/"
        },
        {
          "name": "openSUSE-SU-2019:1839",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"
        },
        {
          "name": "20190812 [SECURITY] [DSA 4498-1] python-django security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Aug/15"
        },
        {
          "name": "DSA-4498",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4498"
        },
        {
          "name": "openSUSE-SU-2019:1872",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
        },
        {
          "name": "FEDORA-2019-647f74ce51",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190828-0002/"
        },
        {
          "name": "GLSA-202004-17",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202004-17"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-14233",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.djangoproject.com/en/dev/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/"
            },
            {
              "name": "openSUSE-SU-2019:1839",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"
            },
            {
              "name": "20190812 [SECURITY] [DSA 4498-1] python-django security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Aug/15"
            },
            {
              "name": "DSA-4498",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4498"
            },
            {
              "name": "openSUSE-SU-2019:1872",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
            },
            {
              "name": "FEDORA-2019-647f74ce51",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190828-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190828-0002/"
            },
            {
              "name": "GLSA-202004-17",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202004-17"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-14233",
    "datePublished": "2019-08-02T14:31:09",
    "dateReserved": "2019-07-22T00:00:00",
    "dateUpdated": "2024-08-05T00:12:42.524Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-3281

Vulnerability from cvelistv5

Published

2021-02-02 06:16

Modified

2024-08-03 16:53

Severity ?

Summary

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce	x_refsource_MISC
	https://docs.djangoproject.com/en/3.1/releases/security/	x_refsource_MISC
	https://www.djangoproject.com/weblog/2021/feb/01/security-releases/	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/	vendor-advisory, x_refsource_FEDORA
	https://security.netapp.com/advisory/ntap-20210226-0004/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T16:53:17.221Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/3.1/releases/security/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2021/feb/01/security-releases/"
          },
          {
            "name": "FEDORA-2021-5329c680f7",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210226-0004/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by \"startapp --template\" and \"startproject --template\") allows directory traversal via an archive with absolute paths or relative paths with dot segments."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-26T08:06:39",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/3.1/releases/security/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2021/feb/01/security-releases/"
        },
        {
          "name": "FEDORA-2021-5329c680f7",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210226-0004/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-3281",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by \"startapp --template\" and \"startproject --template\") allows directory traversal via an archive with absolute paths or relative paths with dot segments."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/forum/#!forum/django-announce",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!forum/django-announce"
            },
            {
              "name": "https://docs.djangoproject.com/en/3.1/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/3.1/releases/security/"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2021/feb/01/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2021/feb/01/security-releases/"
            },
            {
              "name": "FEDORA-2021-5329c680f7",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210226-0004/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210226-0004/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-3281",
    "datePublished": "2021-02-02T06:16:28",
    "dateReserved": "2021-01-22T00:00:00",
    "dateUpdated": "2024-08-03T16:53:17.221Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2020-24584

Vulnerability from cvelistv5

Published

2020-09-01 12:36

Modified

2024-08-04 15:19

Severity ?

Summary

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/	x_refsource_MISC
	https://usn.ubuntu.com/4479-1/	vendor-advisory, x_refsource_UBUNTU
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/	vendor-advisory, x_refsource_FEDORA
	https://www.oracle.com/security-alerts/cpujan2021.html	x_refsource_MISC
	https://groups.google.com/forum/#%21topic/django-announce/zFCMdgUnutU	x_refsource_MISC
	https://groups.google.com/forum/#%21topic/django-announce/Gdqn58RqIDM	x_refsource_MISC
	https://www.openwall.com/lists/oss-security/2020/09/01/2	x_refsource_MISC
	https://www.djangoproject.com/weblog/2020/sep/01/security-releases/	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20200918-0004/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:19:08.642Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/dev/releases/security/"
          },
          {
            "name": "USN-4479-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4479-1/"
          },
          {
            "name": "FEDORA-2020-94407454d7",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/"
          },
          {
            "name": "FEDORA-2020-6941c0a65b",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/"
          },
          {
            "name": "FEDORA-2020-9c6b391162",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/django-announce/zFCMdgUnutU"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/django-announce/Gdqn58RqIDM"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2020/09/01/2"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2020/sep/01/security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200918-0004/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system\u0027s standard umask rather than 0o077."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-20T14:42:08",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "USN-4479-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4479-1/"
        },
        {
          "name": "FEDORA-2020-94407454d7",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/"
        },
        {
          "name": "FEDORA-2020-6941c0a65b",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/"
        },
        {
          "name": "FEDORA-2020-9c6b391162",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21topic/django-announce/zFCMdgUnutU"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21topic/django-announce/Gdqn58RqIDM"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.openwall.com/lists/oss-security/2020/09/01/2"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.djangoproject.com/weblog/2020/sep/01/security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20200918-0004/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-24584",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system\u0027s standard umask rather than 0o077."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.djangoproject.com/en/dev/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "USN-4479-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4479-1/"
            },
            {
              "name": "FEDORA-2020-94407454d7",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/"
            },
            {
              "name": "FEDORA-2020-6941c0a65b",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/"
            },
            {
              "name": "FEDORA-2020-9c6b391162",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            },
            {
              "name": "https://groups.google.com/forum/#!topic/django-announce/zFCMdgUnutU",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!topic/django-announce/zFCMdgUnutU"
            },
            {
              "name": "https://groups.google.com/forum/#!topic/django-announce/Gdqn58RqIDM",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!topic/django-announce/Gdqn58RqIDM"
            },
            {
              "name": "https://www.openwall.com/lists/oss-security/2020/09/01/2",
              "refsource": "MISC",
              "url": "https://www.openwall.com/lists/oss-security/2020/09/01/2"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2020/sep/01/security-releases/",
              "refsource": "MISC",
              "url": "https://www.djangoproject.com/weblog/2020/sep/01/security-releases/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20200918-0004/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20200918-0004/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-24584",
    "datePublished": "2020-09-01T12:36:06",
    "dateReserved": "2020-08-21T00:00:00",
    "dateUpdated": "2024-08-04T15:19:08.642Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2015-5145

Vulnerability from cvelistv5

Published

2015-07-14 17:00

Modified

2024-08-06 06:32

Severity ?

Summary

validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.

References

▼	URL	Tags
	https://security.gentoo.org/glsa/201510-06	vendor-advisory, x_refsource_GENTOO
	https://www.djangoproject.com/weblog/2015/jul/08/security-releases/	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/75691	vdb-entry, x_refsource_BID
	http://www.securitytracker.com/id/1032820	vdb-entry, x_refsource_SECTRACK

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:32:32.865Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "GLSA-201510-06",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201510-06"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2015/jul/08/security-releases/"
          },
          {
            "name": "75691",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/75691"
          },
          {
            "name": "1032820",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1032820"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-07-08T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-21T09:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "GLSA-201510-06",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201510-06"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2015/jul/08/security-releases/"
        },
        {
          "name": "75691",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/75691"
        },
        {
          "name": "1032820",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1032820"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-5145",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "GLSA-201510-06",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201510-06"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2015/jul/08/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2015/jul/08/security-releases/"
            },
            {
              "name": "75691",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/75691"
            },
            {
              "name": "1032820",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1032820"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-5145",
    "datePublished": "2015-07-14T17:00:00",
    "dateReserved": "2015-06-29T00:00:00",
    "dateUpdated": "2024-08-06T06:32:32.865Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-41989

Vulnerability from cvelistv5

Published

2024-08-07 00:00

Modified

2025-03-14 18:52

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/
	https://groups.google.com/forum/#%21forum/django-announce
	https://www.djangoproject.com/weblog/2024/aug/06/security-releases/

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "django",
            "vendor": "djangoproject",
            "versions": [
              {
                "lessThan": "4.2.15",
                "status": "affected",
                "version": "4.2",
                "versionType": "custom"
              },
              {
                "lessThan": "5.0.8",
                "status": "affected",
                "version": "5.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-41989",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-08T19:34:43.299369Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-400",
                "description": "CWE-400 Uncontrolled Resource Consumption",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-14T18:52:59.811Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-07T14:10:31.266Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2024/aug/06/security-releases/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-41989",
    "datePublished": "2024-08-07T00:00:00.000Z",
    "dateReserved": "2024-07-25T00:00:00.000Z",
    "dateUpdated": "2025-03-14T18:52:59.811Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-42005

Vulnerability from cvelistv5

Published

2024-08-07 00:00

Modified

2024-09-03 17:36

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/
	https://groups.google.com/forum/#%21forum/django-announce
	https://www.djangoproject.com/weblog/2024/aug/06/security-releases/

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "django",
            "vendor": "djangoproject",
            "versions": [
              {
                "lessThan": "4.2.15",
                "status": "affected",
                "version": "4.2",
                "versionType": "custom"
              },
              {
                "lessThan": "5.0.8",
                "status": "affected",
                "version": "5.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-42005",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-16T20:19:17.076015Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-89",
                "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-03T17:36:29.599Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-07T14:14:51.264922",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2024/aug/06/security-releases/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-42005",
    "datePublished": "2024-08-07T00:00:00",
    "dateReserved": "2024-07-26T00:00:00",
    "dateUpdated": "2024-09-03T17:36:29.599Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2013-0305

Vulnerability from cvelistv5

Published

2013-05-02 14:00

Modified

2024-08-06 14:18

Severity ?

Summary

The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.

References

▼	URL	Tags
	https://www.djangoproject.com/weblog/2013/feb/19/security/	x_refsource_CONFIRM
	http://ubuntu.com/usn/usn-1757-1	vendor-advisory, x_refsource_UBUNTU
	http://www.debian.org/security/2013/dsa-2634	vendor-advisory, x_refsource_DEBIAN
	http://rhn.redhat.com/errata/RHSA-2013-0670.html	vendor-advisory, x_refsource_REDHAT

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T14:18:09.639Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2013/feb/19/security/"
          },
          {
            "name": "USN-1757-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://ubuntu.com/usn/usn-1757-1"
          },
          {
            "name": "DSA-2634",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2013/dsa-2634"
          },
          {
            "name": "RHSA-2013:0670",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2013-02-19T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2013-05-15T09:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2013/feb/19/security/"
        },
        {
          "name": "USN-1757-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://ubuntu.com/usn/usn-1757-1"
        },
        {
          "name": "DSA-2634",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2013/dsa-2634"
        },
        {
          "name": "RHSA-2013:0670",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2013-0305",
    "datePublished": "2013-05-02T14:00:00",
    "dateReserved": "2012-12-06T00:00:00",
    "dateUpdated": "2024-08-06T14:18:09.639Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2020-24583

Vulnerability from cvelistv5

Published

2020-09-01 12:33

Modified

2024-08-04 15:19

Severity ?

Summary

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/	x_refsource_MISC
	https://usn.ubuntu.com/4479-1/	vendor-advisory, x_refsource_UBUNTU
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/	vendor-advisory, x_refsource_FEDORA
	https://www.oracle.com/security-alerts/cpujan2021.html	x_refsource_MISC
	https://groups.google.com/forum/#%21topic/django-announce/zFCMdgUnutU	x_refsource_MISC
	https://groups.google.com/forum/#%21topic/django-announce/Gdqn58RqIDM	x_refsource_MISC
	https://www.openwall.com/lists/oss-security/2020/09/01/2	x_refsource_MISC
	https://www.djangoproject.com/weblog/2020/sep/01/security-releases/	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20200918-0004/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:19:08.390Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/dev/releases/security/"
          },
          {
            "name": "USN-4479-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4479-1/"
          },
          {
            "name": "FEDORA-2020-94407454d7",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/"
          },
          {
            "name": "FEDORA-2020-6941c0a65b",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/"
          },
          {
            "name": "FEDORA-2020-9c6b391162",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/django-announce/zFCMdgUnutU"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/django-announce/Gdqn58RqIDM"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2020/09/01/2"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2020/sep/01/security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200918-0004/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-20T14:42:08",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "USN-4479-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4479-1/"
        },
        {
          "name": "FEDORA-2020-94407454d7",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/"
        },
        {
          "name": "FEDORA-2020-6941c0a65b",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/"
        },
        {
          "name": "FEDORA-2020-9c6b391162",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21topic/django-announce/zFCMdgUnutU"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21topic/django-announce/Gdqn58RqIDM"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.openwall.com/lists/oss-security/2020/09/01/2"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.djangoproject.com/weblog/2020/sep/01/security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20200918-0004/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-24583",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.djangoproject.com/en/dev/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "USN-4479-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4479-1/"
            },
            {
              "name": "FEDORA-2020-94407454d7",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/"
            },
            {
              "name": "FEDORA-2020-6941c0a65b",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/"
            },
            {
              "name": "FEDORA-2020-9c6b391162",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            },
            {
              "name": "https://groups.google.com/forum/#!topic/django-announce/zFCMdgUnutU",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!topic/django-announce/zFCMdgUnutU"
            },
            {
              "name": "https://groups.google.com/forum/#!topic/django-announce/Gdqn58RqIDM",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!topic/django-announce/Gdqn58RqIDM"
            },
            {
              "name": "https://www.openwall.com/lists/oss-security/2020/09/01/2",
              "refsource": "MISC",
              "url": "https://www.openwall.com/lists/oss-security/2020/09/01/2"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2020/sep/01/security-releases/",
              "refsource": "MISC",
              "url": "https://www.djangoproject.com/weblog/2020/sep/01/security-releases/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20200918-0004/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20200918-0004/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-24583",
    "datePublished": "2020-09-01T12:33:13",
    "dateReserved": "2020-08-21T00:00:00",
    "dateUpdated": "2024-08-04T15:19:08.390Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2016-7401

Vulnerability from cvelistv5

Published

2016-10-03 18:00

Modified

2024-08-06 01:57

Severity ?

Summary

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.

References

▼	URL	Tags
	http://www.debian.org/security/2016/dsa-3678	vendor-advisory, x_refsource_DEBIAN
	http://rhn.redhat.com/errata/RHSA-2016-2040.html	vendor-advisory, x_refsource_REDHAT
	http://rhn.redhat.com/errata/RHSA-2016-2043.html	vendor-advisory, x_refsource_REDHAT
	http://www.securitytracker.com/id/1036899	vdb-entry, x_refsource_SECTRACK
	http://rhn.redhat.com/errata/RHSA-2016-2041.html	vendor-advisory, x_refsource_REDHAT
	https://www.djangoproject.com/weblog/2016/sep/26/security-releases/	x_refsource_CONFIRM
	http://rhn.redhat.com/errata/RHSA-2016-2042.html	vendor-advisory, x_refsource_REDHAT
	http://www.ubuntu.com/usn/USN-3089-1	vendor-advisory, x_refsource_UBUNTU
	http://www.securityfocus.com/bid/93182	vdb-entry, x_refsource_BID
	http://rhn.redhat.com/errata/RHSA-2016-2038.html	vendor-advisory, x_refsource_REDHAT
	http://rhn.redhat.com/errata/RHSA-2016-2039.html	vendor-advisory, x_refsource_REDHAT

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T01:57:47.529Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "DSA-3678",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3678"
          },
          {
            "name": "RHSA-2016:2040",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-2040.html"
          },
          {
            "name": "RHSA-2016:2043",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-2043.html"
          },
          {
            "name": "1036899",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1036899"
          },
          {
            "name": "RHSA-2016:2041",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-2041.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2016/sep/26/security-releases/"
          },
          {
            "name": "RHSA-2016:2042",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-2042.html"
          },
          {
            "name": "USN-3089-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-3089-1"
          },
          {
            "name": "93182",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/93182"
          },
          {
            "name": "RHSA-2016:2038",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-2038.html"
          },
          {
            "name": "RHSA-2016:2039",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-2039.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-09-26T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-04T19:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "DSA-3678",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3678"
        },
        {
          "name": "RHSA-2016:2040",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-2040.html"
        },
        {
          "name": "RHSA-2016:2043",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-2043.html"
        },
        {
          "name": "1036899",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1036899"
        },
        {
          "name": "RHSA-2016:2041",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-2041.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2016/sep/26/security-releases/"
        },
        {
          "name": "RHSA-2016:2042",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-2042.html"
        },
        {
          "name": "USN-3089-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-3089-1"
        },
        {
          "name": "93182",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/93182"
        },
        {
          "name": "RHSA-2016:2038",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-2038.html"
        },
        {
          "name": "RHSA-2016:2039",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-2039.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-7401",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "DSA-3678",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3678"
            },
            {
              "name": "RHSA-2016:2040",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-2040.html"
            },
            {
              "name": "RHSA-2016:2043",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-2043.html"
            },
            {
              "name": "1036899",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1036899"
            },
            {
              "name": "RHSA-2016:2041",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-2041.html"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2016/sep/26/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2016/sep/26/security-releases/"
            },
            {
              "name": "RHSA-2016:2042",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-2042.html"
            },
            {
              "name": "USN-3089-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-3089-1"
            },
            {
              "name": "93182",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/93182"
            },
            {
              "name": "RHSA-2016:2038",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-2038.html"
            },
            {
              "name": "RHSA-2016:2039",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-2039.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2016-7401",
    "datePublished": "2016-10-03T18:00:00",
    "dateReserved": "2016-09-09T00:00:00",
    "dateUpdated": "2024-08-06T01:57:47.529Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-31542

Vulnerability from cvelistv5

Published

2021-05-05 00:00

Modified

2024-08-03 23:03

Severity ?

Summary

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/3.2/releases/security/
	http://www.openwall.com/lists/oss-security/2021/05/04/3
	https://www.djangoproject.com/weblog/2021/may/04/security-releases/
	https://lists.debian.org/debian-lts-announce/2021/05/msg00005.html	mailing-list
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/	vendor-advisory
	https://security.netapp.com/advisory/ntap-20210618-0001/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/	vendor-advisory
	https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d
	https://github.com/django/django/commit/25d84d64122c15050a0ee739e859f22ddab5ac48
	https://github.com/django/django/commit/c98f446c188596d4ba6de71d1b77b4a6c5c2a007

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:03:33.545Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/3.2/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/05/04/3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2021/may/04/security-releases/"
          },
          {
            "name": "[debian-lts-announce] 20210506 [SECURITY] [DLA 2651-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00005.html"
          },
          {
            "name": "FEDORA-2021-01044b8a59",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210618-0001/"
          },
          {
            "name": "FEDORA-2022-e7fd530688",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/25d84d64122c15050a0ee739e859f22ddab5ac48"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/c98f446c188596d4ba6de71d1b77b4a6c5c2a007"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-07T21:59:18.604732",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/3.2/releases/security/"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2021/05/04/3"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2021/may/04/security-releases/"
        },
        {
          "name": "[debian-lts-announce] 20210506 [SECURITY] [DLA 2651-1] python-django security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00005.html"
        },
        {
          "name": "FEDORA-2021-01044b8a59",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20210618-0001/"
        },
        {
          "name": "FEDORA-2022-e7fd530688",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
        },
        {
          "url": "https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d"
        },
        {
          "url": "https://github.com/django/django/commit/25d84d64122c15050a0ee739e859f22ddab5ac48"
        },
        {
          "url": "https://github.com/django/django/commit/c98f446c188596d4ba6de71d1b77b4a6c5c2a007"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-31542",
    "datePublished": "2021-05-05T00:00:00",
    "dateReserved": "2021-04-22T00:00:00",
    "dateUpdated": "2024-08-03T23:03:33.545Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-41991

Vulnerability from cvelistv5

Published

2024-08-07 00:00

Modified

2024-08-12 15:56

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/
	https://groups.google.com/forum/#%21forum/django-announce
	https://www.djangoproject.com/weblog/2024/aug/06/security-releases/

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "django",
            "vendor": "djangoproject",
            "versions": [
              {
                "lessThan": "4.2.15",
                "status": "affected",
                "version": "4.2",
                "versionType": "custom"
              },
              {
                "lessThan": "5.0.8",
                "status": "affected",
                "version": "5.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-41991",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-07T17:57:11.874865Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-130",
                "description": "CWE-130 Improper Handling of Length Parameter Inconsistency",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-12T15:56:42.887Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-07T14:13:02.341557",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2024/aug/06/security-releases/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-41991",
    "datePublished": "2024-08-07T00:00:00",
    "dateReserved": "2024-07-25T00:00:00",
    "dateUpdated": "2024-08-12T15:56:42.887Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2015-5964

Vulnerability from cvelistv5

Published

2015-08-24 14:00

Modified

2024-08-06 07:06

Severity ?

Summary

The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors.

References

▼	URL	Tags
	http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html	vendor-advisory, x_refsource_FEDORA
	http://rhn.redhat.com/errata/RHSA-2015-1894.html	vendor-advisory, x_refsource_REDHAT
	http://www.debian.org/security/2015/dsa-3338	vendor-advisory, x_refsource_DEBIAN
	http://www.securitytracker.com/id/1033318	vdb-entry, x_refsource_SECTRACK
	http://rhn.redhat.com/errata/RHSA-2015-1767.html	vendor-advisory, x_refsource_REDHAT
	http://www.ubuntu.com/usn/USN-2720-1	vendor-advisory, x_refsource_UBUNTU
	http://rhn.redhat.com/errata/RHSA-2015-1766.html	vendor-advisory, x_refsource_REDHAT
	http://www.securityfocus.com/bid/76440	vdb-entry, x_refsource_BID
	https://www.djangoproject.com/weblog/2015/aug/18/security-releases/	x_refsource_MISC
	http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T07:06:34.982Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "FEDORA-2015-1dd5bc998f",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html"
          },
          {
            "name": "RHSA-2015:1894",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2015-1894.html"
          },
          {
            "name": "DSA-3338",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2015/dsa-3338"
          },
          {
            "name": "1033318",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1033318"
          },
          {
            "name": "RHSA-2015:1767",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2015-1767.html"
          },
          {
            "name": "USN-2720-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2720-1"
          },
          {
            "name": "RHSA-2015:1766",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2015-1766.html"
          },
          {
            "name": "76440",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/76440"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2015/aug/18/security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-08-18T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-12-22T18:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "FEDORA-2015-1dd5bc998f",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html"
        },
        {
          "name": "RHSA-2015:1894",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2015-1894.html"
        },
        {
          "name": "DSA-3338",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2015/dsa-3338"
        },
        {
          "name": "1033318",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1033318"
        },
        {
          "name": "RHSA-2015:1767",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2015-1767.html"
        },
        {
          "name": "USN-2720-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2720-1"
        },
        {
          "name": "RHSA-2015:1766",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2015-1766.html"
        },
        {
          "name": "76440",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/76440"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.djangoproject.com/weblog/2015/aug/18/security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-5964",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "FEDORA-2015-1dd5bc998f",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html"
            },
            {
              "name": "RHSA-2015:1894",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2015-1894.html"
            },
            {
              "name": "DSA-3338",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2015/dsa-3338"
            },
            {
              "name": "1033318",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1033318"
            },
            {
              "name": "RHSA-2015:1767",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2015-1767.html"
            },
            {
              "name": "USN-2720-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2720-1"
            },
            {
              "name": "RHSA-2015:1766",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2015-1766.html"
            },
            {
              "name": "76440",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/76440"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2015/aug/18/security-releases/",
              "refsource": "MISC",
              "url": "https://www.djangoproject.com/weblog/2015/aug/18/security-releases/"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-5964",
    "datePublished": "2015-08-24T14:00:00",
    "dateReserved": "2015-08-07T00:00:00",
    "dateUpdated": "2024-08-06T07:06:34.982Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-24680

Vulnerability from cvelistv5

Published

2024-02-06 00:00

Modified

2024-08-01 23:28

Severity ?

Summary

An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/5.0/releases/security/
	https://www.djangoproject.com/weblog/2024/feb/06/security-releases/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/	vendor-advisory

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:28:11.095Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/5.0/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases/"
          },
          {
            "name": "FEDORA-2024-5c7fb64c74",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/"
          },
          {
            "name": "FEDORA-2024-2ec03ca8cb",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/"
          },
          {
            "name": "FEDORA-2024-84fbbbb914",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-20T03:05:55.273636",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/5.0/releases/security/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases/"
        },
        {
          "name": "FEDORA-2024-5c7fb64c74",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/"
        },
        {
          "name": "FEDORA-2024-2ec03ca8cb",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/"
        },
        {
          "name": "FEDORA-2024-84fbbbb914",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-24680",
    "datePublished": "2024-02-06T00:00:00",
    "dateReserved": "2024-01-26T00:00:00",
    "dateUpdated": "2024-08-01T23:28:11.095Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2017-12794

Vulnerability from cvelistv5

Published

2017-09-07 13:00

Modified

2024-08-05 18:51

Severity ?

Summary

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.

References

▼	URL	Tags
	https://usn.ubuntu.com/3559-1/	vendor-advisory, x_refsource_UBUNTU
	http://www.securityfocus.com/bid/100643	vdb-entry, x_refsource_BID
	http://www.securitytracker.com/id/1039264	vdb-entry, x_refsource_SECTRACK
	https://www.djangoproject.com/weblog/2017/sep/05/security-releases/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T18:51:07.127Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-3559-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3559-1/"
          },
          {
            "name": "100643",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/100643"
          },
          {
            "name": "1039264",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1039264"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2017-09-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn\u0027t affect most production sites since you shouldn\u0027t run with \"DEBUG = True\" (which makes this page accessible) in your production settings."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-03-15T09:57:02",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "USN-3559-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3559-1/"
        },
        {
          "name": "100643",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/100643"
        },
        {
          "name": "1039264",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1039264"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-12794",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn\u0027t affect most production sites since you shouldn\u0027t run with \"DEBUG = True\" (which makes this page accessible) in your production settings."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-3559-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3559-1/"
            },
            {
              "name": "100643",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/100643"
            },
            {
              "name": "1039264",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1039264"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-12794",
    "datePublished": "2017-09-07T13:00:00",
    "dateReserved": "2017-08-10T00:00:00",
    "dateUpdated": "2024-08-05T18:51:07.127Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2014-0482

Vulnerability from cvelistv5

Published

2014-08-26 14:00

Modified

2024-08-06 09:20

Severity ?

Summary

The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.

References

▼	URL	Tags
	https://www.djangoproject.com/weblog/2014/aug/20/security/	x_refsource_CONFIRM
	http://secunia.com/advisories/61276	third-party-advisory, x_refsource_SECUNIA
	http://secunia.com/advisories/61281	third-party-advisory, x_refsource_SECUNIA
	http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html	vendor-advisory, x_refsource_SUSE
	http://www.debian.org/security/2014/dsa-3010	vendor-advisory, x_refsource_DEBIAN
	http://secunia.com/advisories/59782	third-party-advisory, x_refsource_SECUNIA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T09:20:18.469Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2014/aug/20/security/"
          },
          {
            "name": "61276",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/61276"
          },
          {
            "name": "61281",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/61281"
          },
          {
            "name": "openSUSE-SU-2014:1132",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
          },
          {
            "name": "DSA-3010",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2014/dsa-3010"
          },
          {
            "name": "59782",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/59782"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-08-20T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-01-04T17:57:01",
        "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
        "shortName": "debian"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2014/aug/20/security/"
        },
        {
          "name": "61276",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/61276"
        },
        {
          "name": "61281",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/61281"
        },
        {
          "name": "openSUSE-SU-2014:1132",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
        },
        {
          "name": "DSA-3010",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2014/dsa-3010"
        },
        {
          "name": "59782",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/59782"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@debian.org",
          "ID": "CVE-2014-0482",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.djangoproject.com/weblog/2014/aug/20/security/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2014/aug/20/security/"
            },
            {
              "name": "61276",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/61276"
            },
            {
              "name": "61281",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/61281"
            },
            {
              "name": "openSUSE-SU-2014:1132",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
            },
            {
              "name": "DSA-3010",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2014/dsa-3010"
            },
            {
              "name": "59782",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/59782"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
    "assignerShortName": "debian",
    "cveId": "CVE-2014-0482",
    "datePublished": "2014-08-26T14:00:00",
    "dateReserved": "2013-12-19T00:00:00",
    "dateUpdated": "2024-08-06T09:20:18.469Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-41323

Vulnerability from cvelistv5

Published

2022-10-16 00:00

Modified

2025-02-13 16:33

Severity ?

Summary

In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.0/releases/security/
	https://www.djangoproject.com/weblog/2022/oct/04/security-releases/
	https://github.com/django/django/commit/5b6b257fa7ec37ff27965358800c67e2dd11c924
	https://security.netapp.com/advisory/ntap-20221124-0001/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/	vendor-advisory

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:42:45.749Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/oct/04/security-releases/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/5b6b257fa7ec37ff27965358800c67e2dd11c924"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20221124-0001/"
          },
          {
            "name": "FEDORA-2023-3d775d93be",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/"
          },
          {
            "name": "FEDORA-2023-bde7913e5a",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/"
          },
          {
            "name": "FEDORA-2023-a74513bda8",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/"
          },
          {
            "name": "FEDORA-2023-8fed428c5e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
          },
          {
            "name": "FEDORA-2023-a53ab7c969",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-28T03:06:15.950Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2022/oct/04/security-releases/"
        },
        {
          "url": "https://github.com/django/django/commit/5b6b257fa7ec37ff27965358800c67e2dd11c924"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20221124-0001/"
        },
        {
          "name": "FEDORA-2023-3d775d93be",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/"
        },
        {
          "name": "FEDORA-2023-bde7913e5a",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/"
        },
        {
          "name": "FEDORA-2023-a74513bda8",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/"
        },
        {
          "name": "FEDORA-2023-8fed428c5e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
        },
        {
          "name": "FEDORA-2023-a53ab7c969",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-41323",
    "datePublished": "2022-10-16T00:00:00.000Z",
    "dateReserved": "2022-09-23T00:00:00.000Z",
    "dateUpdated": "2025-02-13T16:33:04.202Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2015-5143

Vulnerability from cvelistv5

Published

2015-07-14 17:00

Modified

2024-08-06 06:32

Severity ?

Summary

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.

References

▼	URL	Tags
	http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html	vendor-advisory, x_refsource_FEDORA
	https://security.gentoo.org/glsa/201510-06	vendor-advisory, x_refsource_GENTOO
	https://www.djangoproject.com/weblog/2015/jul/08/security-releases/	x_refsource_CONFIRM
	http://lists.opensuse.org/opensuse-updates/2015-10/msg00043.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-updates/2015-10/msg00046.html	vendor-advisory, x_refsource_SUSE
	http://www.debian.org/security/2015/dsa-3305	vendor-advisory, x_refsource_DEBIAN
	http://rhn.redhat.com/errata/RHSA-2015-1678.html	vendor-advisory, x_refsource_REDHAT
	http://www.securityfocus.com/bid/75666	vdb-entry, x_refsource_BID
	http://rhn.redhat.com/errata/RHSA-2015-1686.html	vendor-advisory, x_refsource_REDHAT
	http://www.ubuntu.com/usn/USN-2671-1	vendor-advisory, x_refsource_UBUNTU
	http://www.securitytracker.com/id/1032820	vdb-entry, x_refsource_SECTRACK
	http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:32:32.963Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "FEDORA-2015-1dd5bc998f",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html"
          },
          {
            "name": "GLSA-201510-06",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201510-06"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2015/jul/08/security-releases/"
          },
          {
            "name": "openSUSE-SU-2015:1802",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00043.html"
          },
          {
            "name": "openSUSE-SU-2015:1813",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00046.html"
          },
          {
            "name": "DSA-3305",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2015/dsa-3305"
          },
          {
            "name": "RHSA-2015:1678",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2015-1678.html"
          },
          {
            "name": "75666",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/75666"
          },
          {
            "name": "RHSA-2015:1686",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2015-1686.html"
          },
          {
            "name": "USN-2671-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2671-1"
          },
          {
            "name": "1032820",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1032820"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-07-08T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-21T09:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "FEDORA-2015-1dd5bc998f",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html"
        },
        {
          "name": "GLSA-201510-06",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201510-06"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2015/jul/08/security-releases/"
        },
        {
          "name": "openSUSE-SU-2015:1802",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00043.html"
        },
        {
          "name": "openSUSE-SU-2015:1813",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00046.html"
        },
        {
          "name": "DSA-3305",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2015/dsa-3305"
        },
        {
          "name": "RHSA-2015:1678",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2015-1678.html"
        },
        {
          "name": "75666",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/75666"
        },
        {
          "name": "RHSA-2015:1686",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2015-1686.html"
        },
        {
          "name": "USN-2671-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2671-1"
        },
        {
          "name": "1032820",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1032820"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-5143",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "FEDORA-2015-1dd5bc998f",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html"
            },
            {
              "name": "GLSA-201510-06",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201510-06"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2015/jul/08/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2015/jul/08/security-releases/"
            },
            {
              "name": "openSUSE-SU-2015:1802",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00043.html"
            },
            {
              "name": "openSUSE-SU-2015:1813",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00046.html"
            },
            {
              "name": "DSA-3305",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2015/dsa-3305"
            },
            {
              "name": "RHSA-2015:1678",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2015-1678.html"
            },
            {
              "name": "75666",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/75666"
            },
            {
              "name": "RHSA-2015:1686",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2015-1686.html"
            },
            {
              "name": "USN-2671-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2671-1"
            },
            {
              "name": "1032820",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1032820"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-5143",
    "datePublished": "2015-07-14T17:00:00",
    "dateReserved": "2015-06-29T00:00:00",
    "dateUpdated": "2024-08-06T06:32:32.963Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2018-7537

Vulnerability from cvelistv5

Published

2018-03-09 20:00

Modified

2024-08-05 06:31

Severity ?

Summary

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

References

▼	URL	Tags
	https://usn.ubuntu.com/3591-1/	vendor-advisory, x_refsource_UBUNTU
	https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html	mailing-list, x_refsource_MLIST
	https://www.djangoproject.com/weblog/2018/mar/06/security-releases/	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2018:2927	vendor-advisory, x_refsource_REDHAT
	http://www.securityfocus.com/bid/103357	vdb-entry, x_refsource_BID
	https://access.redhat.com/errata/RHSA-2019:0265	vendor-advisory, x_refsource_REDHAT
	https://www.debian.org/security/2018/dsa-4161	vendor-advisory, x_refsource_DEBIAN

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:31:04.518Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-3591-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3591-1/"
          },
          {
            "name": "[debian-lts-announce] 20180308 [SECURITY] [DLA 1303-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2018/mar/06/security-releases/"
          },
          {
            "name": "RHSA-2018:2927",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2927"
          },
          {
            "name": "103357",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/103357"
          },
          {
            "name": "RHSA-2019:0265",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0265"
          },
          {
            "name": "DSA-4161",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4161"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-03-06T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator\u0027s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-02-04T10:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "USN-3591-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3591-1/"
        },
        {
          "name": "[debian-lts-announce] 20180308 [SECURITY] [DLA 1303-1] python-django security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2018/mar/06/security-releases/"
        },
        {
          "name": "RHSA-2018:2927",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2927"
        },
        {
          "name": "103357",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/103357"
        },
        {
          "name": "RHSA-2019:0265",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0265"
        },
        {
          "name": "DSA-4161",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4161"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-7537",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator\u0027s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-3591-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3591-1/"
            },
            {
              "name": "[debian-lts-announce] 20180308 [SECURITY] [DLA 1303-1] python-django security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2018/mar/06/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2018/mar/06/security-releases/"
            },
            {
              "name": "RHSA-2018:2927",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            },
            {
              "name": "103357",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/103357"
            },
            {
              "name": "RHSA-2019:0265",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0265"
            },
            {
              "name": "DSA-4161",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2018/dsa-4161"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-7537",
    "datePublished": "2018-03-09T20:00:00",
    "dateReserved": "2018-02-26T00:00:00",
    "dateUpdated": "2024-08-05T06:31:04.518Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2015-0221

Vulnerability from cvelistv5

Published

2015-01-16 16:00

Modified

2024-08-06 04:03

Severity ?

Summary

The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.

References

▼	URL	Tags
	http://secunia.com/advisories/62718	third-party-advisory, x_refsource_SECUNIA
	http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html	vendor-advisory, x_refsource_FEDORA
	http://ubuntu.com/usn/usn-2469-1	vendor-advisory, x_refsource_UBUNTU
	http://www.mandriva.com/security/advisories?name=MDVSA-2015:036	vendor-advisory, x_refsource_MANDRIVA
	http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148696.html	vendor-advisory, x_refsource_FEDORA
	http://secunia.com/advisories/62285	third-party-advisory, x_refsource_SECUNIA
	http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html	vendor-advisory, x_refsource_SUSE
	https://www.djangoproject.com/weblog/2015/jan/13/security/	x_refsource_CONFIRM
	http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html	vendor-advisory, x_refsource_SUSE
	http://secunia.com/advisories/62309	third-party-advisory, x_refsource_SECUNIA
	http://www.mandriva.com/security/advisories?name=MDVSA-2015:109	vendor-advisory, x_refsource_MANDRIVA
	http://advisories.mageia.org/MGASA-2015-0026.html	x_refsource_CONFIRM
	http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html	vendor-advisory, x_refsource_FEDORA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T04:03:10.378Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "62718",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/62718"
          },
          {
            "name": "FEDORA-2015-0804",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
          },
          {
            "name": "USN-2469-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://ubuntu.com/usn/usn-2469-1"
          },
          {
            "name": "MDVSA-2015:036",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:036"
          },
          {
            "name": "FEDORA-2015-0790",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148696.html"
          },
          {
            "name": "62285",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/62285"
          },
          {
            "name": "openSUSE-SU-2015:1598",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
          },
          {
            "name": "openSUSE-SU-2015:0643",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
          },
          {
            "name": "62309",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/62309"
          },
          {
            "name": "MDVSA-2015:109",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
          },
          {
            "name": "FEDORA-2015-0714",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-01-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-12-20T16:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "62718",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/62718"
        },
        {
          "name": "FEDORA-2015-0804",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
        },
        {
          "name": "USN-2469-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://ubuntu.com/usn/usn-2469-1"
        },
        {
          "name": "MDVSA-2015:036",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:036"
        },
        {
          "name": "FEDORA-2015-0790",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148696.html"
        },
        {
          "name": "62285",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/62285"
        },
        {
          "name": "openSUSE-SU-2015:1598",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
        },
        {
          "name": "openSUSE-SU-2015:0643",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
        },
        {
          "name": "62309",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/62309"
        },
        {
          "name": "MDVSA-2015:109",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
        },
        {
          "name": "FEDORA-2015-0714",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-0221",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "62718",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/62718"
            },
            {
              "name": "FEDORA-2015-0804",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
            },
            {
              "name": "USN-2469-1",
              "refsource": "UBUNTU",
              "url": "http://ubuntu.com/usn/usn-2469-1"
            },
            {
              "name": "MDVSA-2015:036",
              "refsource": "MANDRIVA",
              "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:036"
            },
            {
              "name": "FEDORA-2015-0790",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148696.html"
            },
            {
              "name": "62285",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/62285"
            },
            {
              "name": "openSUSE-SU-2015:1598",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2015/jan/13/security/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
            },
            {
              "name": "openSUSE-SU-2015:0643",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
            },
            {
              "name": "62309",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/62309"
            },
            {
              "name": "MDVSA-2015:109",
              "refsource": "MANDRIVA",
              "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
            },
            {
              "name": "http://advisories.mageia.org/MGASA-2015-0026.html",
              "refsource": "CONFIRM",
              "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
            },
            {
              "name": "FEDORA-2015-0714",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-0221",
    "datePublished": "2015-01-16T16:00:00",
    "dateReserved": "2014-11-18T00:00:00",
    "dateUpdated": "2024-08-06T04:03:10.378Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-32052

Vulnerability from cvelistv5

Published

2021-05-06 15:49

Modified

2024-08-03 23:17

Severity ?

Summary

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce	x_refsource_MISC
	https://docs.djangoproject.com/en/3.2/releases/security/	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2021/05/06/1	x_refsource_MISC
	https://www.djangoproject.com/weblog/2021/may/06/security-releases/	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/	vendor-advisory, x_refsource_FEDORA
	https://security.netapp.com/advisory/ntap-20210611-0002/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:17:28.409Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/3.2/releases/security/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/05/06/1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2021/may/06/security-releases/"
          },
          {
            "name": "FEDORA-2021-01044b8a59",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210611-0002/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-11T10:06:12",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/3.2/releases/security/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/05/06/1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.djangoproject.com/weblog/2021/may/06/security-releases/"
        },
        {
          "name": "FEDORA-2021-01044b8a59",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210611-0002/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-32052",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/forum/#!forum/django-announce",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!forum/django-announce"
            },
            {
              "name": "https://docs.djangoproject.com/en/3.2/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/3.2/releases/security/"
            },
            {
              "name": "http://www.openwall.com/lists/oss-security/2021/05/06/1",
              "refsource": "MISC",
              "url": "http://www.openwall.com/lists/oss-security/2021/05/06/1"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2021/may/06/security-releases/",
              "refsource": "MISC",
              "url": "https://www.djangoproject.com/weblog/2021/may/06/security-releases/"
            },
            {
              "name": "FEDORA-2021-01044b8a59",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210611-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210611-0002/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-32052",
    "datePublished": "2021-05-06T15:49:20",
    "dateReserved": "2021-05-05T00:00:00",
    "dateUpdated": "2024-08-03T23:17:28.409Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2011-0696

Vulnerability from cvelistv5

Published

2011-02-14 20:00

Modified

2024-08-06 21:58

Severity ?

Summary

Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.

References

▼	URL	Tags
	http://secunia.com/advisories/43297	third-party-advisory, x_refsource_SECUNIA
	http://secunia.com/advisories/43382	third-party-advisory, x_refsource_SECUNIA
	http://www.vupen.com/english/advisories/2011/0439	vdb-entry, x_refsource_VUPEN
	http://www.vupen.com/english/advisories/2011/0429	vdb-entry, x_refsource_VUPEN
	http://openwall.com/lists/oss-security/2011/02/09/6	mailing-list, x_refsource_MLIST
	http://secunia.com/advisories/43230	third-party-advisory, x_refsource_SECUNIA
	http://secunia.com/advisories/43426	third-party-advisory, x_refsource_SECUNIA
	https://bugzilla.redhat.com/show_bug.cgi?id=676357	x_refsource_CONFIRM
	http://www.vupen.com/english/advisories/2011/0372	vdb-entry, x_refsource_VUPEN
	http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054207.html	vendor-advisory, x_refsource_FEDORA
	http://www.vupen.com/english/advisories/2011/0441	vdb-entry, x_refsource_VUPEN
	http://www.ubuntu.com/usn/USN-1066-1	vendor-advisory, x_refsource_UBUNTU
	http://www.securityfocus.com/bid/46296	vdb-entry, x_refsource_BID
	http://www.mandriva.com/security/advisories?name=MDVSA-2011:031	vendor-advisory, x_refsource_MANDRIVA
	http://www.debian.org/security/2011/dsa-2163	vendor-advisory, x_refsource_DEBIAN
	http://www.djangoproject.com/weblog/2011/feb/08/security/	x_refsource_CONFIRM
	http://www.vupen.com/english/advisories/2011/0388	vdb-entry, x_refsource_VUPEN
	http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054208.html	vendor-advisory, x_refsource_FEDORA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T21:58:26.098Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "43297",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/43297"
          },
          {
            "name": "43382",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/43382"
          },
          {
            "name": "ADV-2011-0439",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/0439"
          },
          {
            "name": "ADV-2011-0429",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/0429"
          },
          {
            "name": "[oss-security] 20110209 Django multiple flaws (CVEs inside)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2011/02/09/6"
          },
          {
            "name": "43230",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/43230"
          },
          {
            "name": "43426",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/43426"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=676357"
          },
          {
            "name": "ADV-2011-0372",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/0372"
          },
          {
            "name": "FEDORA-2011-1261",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054207.html"
          },
          {
            "name": "ADV-2011-0441",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/0441"
          },
          {
            "name": "USN-1066-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-1066-1"
          },
          {
            "name": "46296",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/46296"
          },
          {
            "name": "MDVSA-2011:031",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:031"
          },
          {
            "name": "DSA-2163",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2011/dsa-2163"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.djangoproject.com/weblog/2011/feb/08/security/"
          },
          {
            "name": "ADV-2011-0388",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/0388"
          },
          {
            "name": "FEDORA-2011-1235",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054208.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2011-02-08T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a \"combination of browser plugins and redirects,\" a related issue to CVE-2011-0447."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2011-02-23T10:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "43297",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/43297"
        },
        {
          "name": "43382",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/43382"
        },
        {
          "name": "ADV-2011-0439",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/0439"
        },
        {
          "name": "ADV-2011-0429",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/0429"
        },
        {
          "name": "[oss-security] 20110209 Django multiple flaws (CVEs inside)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2011/02/09/6"
        },
        {
          "name": "43230",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/43230"
        },
        {
          "name": "43426",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/43426"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=676357"
        },
        {
          "name": "ADV-2011-0372",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/0372"
        },
        {
          "name": "FEDORA-2011-1261",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054207.html"
        },
        {
          "name": "ADV-2011-0441",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/0441"
        },
        {
          "name": "USN-1066-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-1066-1"
        },
        {
          "name": "46296",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/46296"
        },
        {
          "name": "MDVSA-2011:031",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:031"
        },
        {
          "name": "DSA-2163",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2011/dsa-2163"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.djangoproject.com/weblog/2011/feb/08/security/"
        },
        {
          "name": "ADV-2011-0388",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/0388"
        },
        {
          "name": "FEDORA-2011-1235",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054208.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2011-0696",
    "datePublished": "2011-02-14T20:00:00",
    "dateReserved": "2011-01-31T00:00:00",
    "dateUpdated": "2024-08-06T21:58:26.098Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2012-3442

Vulnerability from cvelistv5

Published

2012-07-31 17:00

Modified

2024-08-06 20:05

Severity ?

Summary

The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.

References

▼	URL	Tags
	http://www.openwall.com/lists/oss-security/2012/07/31/1	mailing-list, x_refsource_MLIST
	https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/	x_refsource_CONFIRM
	http://www.mandriva.com/security/advisories?name=MDVSA-2012:143	vendor-advisory, x_refsource_MANDRIVA
	http://www.ubuntu.com/usn/USN-1560-1	vendor-advisory, x_refsource_UBUNTU
	http://www.openwall.com/lists/oss-security/2012/07/31/2	mailing-list, x_refsource_MLIST
	http://www.debian.org/security/2012/dsa-2529	vendor-advisory, x_refsource_DEBIAN

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T20:05:12.572Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[oss-security] 20120730 CVE Request: Django 1.3.1 and 1.4.0 security issues",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2012/07/31/1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/"
          },
          {
            "name": "MDVSA-2012:143",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2012:143"
          },
          {
            "name": "USN-1560-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-1560-1"
          },
          {
            "name": "[oss-security] 20120730 Re: CVE Request: Django 1.3.1 and 1.4.0 security issues",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2012/07/31/2"
          },
          {
            "name": "DSA-2529",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2012/dsa-2529"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2012-07-30T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2012-09-29T09:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "[oss-security] 20120730 CVE Request: Django 1.3.1 and 1.4.0 security issues",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2012/07/31/1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/"
        },
        {
          "name": "MDVSA-2012:143",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2012:143"
        },
        {
          "name": "USN-1560-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-1560-1"
        },
        {
          "name": "[oss-security] 20120730 Re: CVE Request: Django 1.3.1 and 1.4.0 security issues",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2012/07/31/2"
        },
        {
          "name": "DSA-2529",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2012/dsa-2529"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2012-3442",
    "datePublished": "2012-07-31T17:00:00",
    "dateReserved": "2012-06-14T00:00:00",
    "dateUpdated": "2024-08-06T20:05:12.572Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-23969

Vulnerability from cvelistv5

Published

2023-02-01 00:00

Modified

2025-03-27 14:17

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.1/releases/security/
	https://www.djangoproject.com/weblog/2023/feb/01/security-releases/
	https://lists.debian.org/debian-lts-announce/2023/02/msg00000.html	mailing-list
	https://security.netapp.com/advisory/ntap-20230302-0007/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/	vendor-advisory

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:49:08.226Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.1/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2023/feb/01/security-releases/"
          },
          {
            "name": "[debian-lts-announce] 20230201 [SECURITY] [DLA 3306-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00000.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230302-0007/"
          },
          {
            "name": "FEDORA-2023-8fed428c5e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
          },
          {
            "name": "FEDORA-2023-a53ab7c969",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-23969",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-27T14:17:12.981645Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-27T14:17:49.400Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-28T03:06:12.957Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.1/releases/security/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2023/feb/01/security-releases/"
        },
        {
          "name": "[debian-lts-announce] 20230201 [SECURITY] [DLA 3306-1] python-django security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00000.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230302-0007/"
        },
        {
          "name": "FEDORA-2023-8fed428c5e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
        },
        {
          "name": "FEDORA-2023-a53ab7c969",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-23969",
    "datePublished": "2023-02-01T00:00:00.000Z",
    "dateReserved": "2023-01-20T00:00:00.000Z",
    "dateUpdated": "2025-03-27T14:17:49.400Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2011-4136

Vulnerability from cvelistv5

Published

2011-10-19 10:00

Modified

2024-08-07 00:01

Severity ?

Summary

django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.

References

▼	URL	Tags
	https://hermes.opensuse.org/messages/14700881	vendor-advisory, x_refsource_SUSE
	http://www.debian.org/security/2011/dsa-2332	vendor-advisory, x_refsource_DEBIAN
	https://bugzilla.redhat.com/show_bug.cgi?id=737366	x_refsource_CONFIRM
	http://secunia.com/advisories/46614	third-party-advisory, x_refsource_SECUNIA
	http://openwall.com/lists/oss-security/2011/09/11/1	mailing-list, x_refsource_MLIST
	https://www.djangoproject.com/weblog/2011/sep/10/127/	x_refsource_CONFIRM
	http://openwall.com/lists/oss-security/2011/09/13/2	mailing-list, x_refsource_MLIST
	https://www.djangoproject.com/weblog/2011/sep/09/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T00:01:50.498Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "openSUSE-SU-2012:0653",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "https://hermes.opensuse.org/messages/14700881"
          },
          {
            "name": "DSA-2332",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2011/dsa-2332"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=737366"
          },
          {
            "name": "46614",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/46614"
          },
          {
            "name": "[oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2011/09/11/1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2011/sep/10/127/"
          },
          {
            "name": "[oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2011/09/13/2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2011/sep/09/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2011-09-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session\u0027s identifier."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-17T19:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "openSUSE-SU-2012:0653",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "https://hermes.opensuse.org/messages/14700881"
        },
        {
          "name": "DSA-2332",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2011/dsa-2332"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=737366"
        },
        {
          "name": "46614",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/46614"
        },
        {
          "name": "[oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2011/09/11/1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2011/sep/10/127/"
        },
        {
          "name": "[oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2011/09/13/2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2011/sep/09/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2011-4136",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session\u0027s identifier."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "openSUSE-SU-2012:0653",
              "refsource": "SUSE",
              "url": "https://hermes.opensuse.org/messages/14700881"
            },
            {
              "name": "DSA-2332",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2011/dsa-2332"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=737366",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=737366"
            },
            {
              "name": "46614",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/46614"
            },
            {
              "name": "[oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
              "refsource": "MLIST",
              "url": "http://openwall.com/lists/oss-security/2011/09/11/1"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2011/sep/10/127/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2011/sep/10/127/"
            },
            {
              "name": "[oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
              "refsource": "MLIST",
              "url": "http://openwall.com/lists/oss-security/2011/09/13/2"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2011/sep/09/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2011/sep/09/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2011-4136",
    "datePublished": "2011-10-19T10:00:00",
    "dateReserved": "2011-10-19T00:00:00",
    "dateUpdated": "2024-08-07T00:01:50.498Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2016-6186

Vulnerability from cvelistv5

Published

2016-08-05 15:00

Modified

2024-08-06 01:22

Severity ?

Summary

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.

References

▼	URL	Tags
	http://www.securitytracker.com/id/1036338	vdb-entry, x_refsource_SECTRACK
	http://seclists.org/fulldisclosure/2016/Jul/53	mailing-list, x_refsource_FULLDISC
	http://rhn.redhat.com/errata/RHSA-2016-1594.html	vendor-advisory, x_refsource_REDHAT
	http://www.debian.org/security/2016/dsa-3622	vendor-advisory, x_refsource_DEBIAN
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/	vendor-advisory, x_refsource_FEDORA
	http://www.vulnerability-lab.com/get_content.php?id=1869	x_refsource_MISC
	http://www.securityfocus.com/archive/1/538947/100/0/threaded	mailing-list, x_refsource_BUGTRAQ
	http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html	x_refsource_MISC
	http://www.ubuntu.com/usn/USN-3039-1	vendor-advisory, x_refsource_UBUNTU
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/	vendor-advisory, x_refsource_FEDORA
	https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d	x_refsource_CONFIRM
	http://rhn.redhat.com/errata/RHSA-2016-1596.html	vendor-advisory, x_refsource_REDHAT
	https://www.djangoproject.com/weblog/2016/jul/18/security-releases/	x_refsource_CONFIRM
	https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/92058	vdb-entry, x_refsource_BID
	http://rhn.redhat.com/errata/RHSA-2016-1595.html	vendor-advisory, x_refsource_REDHAT
	https://www.exploit-db.com/exploits/40129/	exploit, x_refsource_EXPLOIT-DB

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T01:22:20.927Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1036338",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1036338"
          },
          {
            "name": "20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2016/Jul/53"
          },
          {
            "name": "RHSA-2016:1594",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1594.html"
          },
          {
            "name": "DSA-3622",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3622"
          },
          {
            "name": "FEDORA-2016-97ca9d52a4",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.vulnerability-lab.com/get_content.php?id=1869"
          },
          {
            "name": "20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/538947/100/0/threaded"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html"
          },
          {
            "name": "USN-3039-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-3039-1"
          },
          {
            "name": "FEDORA-2016-b7e31a0b9a",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d"
          },
          {
            "name": "RHSA-2016:1596",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1596.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2016/jul/18/security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158"
          },
          {
            "name": "92058",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/92058"
          },
          {
            "name": "RHSA-2016:1595",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1595.html"
          },
          {
            "name": "40129",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/40129/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-07-18T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-09T18:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "1036338",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1036338"
        },
        {
          "name": "20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2016/Jul/53"
        },
        {
          "name": "RHSA-2016:1594",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1594.html"
        },
        {
          "name": "DSA-3622",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3622"
        },
        {
          "name": "FEDORA-2016-97ca9d52a4",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.vulnerability-lab.com/get_content.php?id=1869"
        },
        {
          "name": "20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/538947/100/0/threaded"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html"
        },
        {
          "name": "USN-3039-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-3039-1"
        },
        {
          "name": "FEDORA-2016-b7e31a0b9a",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d"
        },
        {
          "name": "RHSA-2016:1596",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1596.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2016/jul/18/security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158"
        },
        {
          "name": "92058",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/92058"
        },
        {
          "name": "RHSA-2016:1595",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1595.html"
        },
        {
          "name": "40129",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/40129/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-6186",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1036338",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1036338"
            },
            {
              "name": "20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2016/Jul/53"
            },
            {
              "name": "RHSA-2016:1594",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1594.html"
            },
            {
              "name": "DSA-3622",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3622"
            },
            {
              "name": "FEDORA-2016-97ca9d52a4",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KHHPN6MISX5I6UTXQHYLPTLEEUE6WDXW/"
            },
            {
              "name": "http://www.vulnerability-lab.com/get_content.php?id=1869",
              "refsource": "MISC",
              "url": "http://www.vulnerability-lab.com/get_content.php?id=1869"
            },
            {
              "name": "20160719 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186)",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/538947/100/0/threaded"
            },
            {
              "name": "http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/137965/Django-3.3.0-Script-Insertion.html"
            },
            {
              "name": "USN-3039-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-3039-1"
            },
            {
              "name": "FEDORA-2016-b7e31a0b9a",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ/"
            },
            {
              "name": "https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d",
              "refsource": "CONFIRM",
              "url": "https://github.com/django/django/commit/f68e5a99164867ab0e071a936470958ed867479d"
            },
            {
              "name": "RHSA-2016:1596",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1596.html"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2016/jul/18/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2016/jul/18/security-releases/"
            },
            {
              "name": "https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158",
              "refsource": "CONFIRM",
              "url": "https://github.com/django/django/commit/d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158"
            },
            {
              "name": "92058",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/92058"
            },
            {
              "name": "RHSA-2016:1595",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1595.html"
            },
            {
              "name": "40129",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/40129/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2016-6186",
    "datePublished": "2016-08-05T15:00:00",
    "dateReserved": "2016-07-08T00:00:00",
    "dateUpdated": "2024-08-06T01:22:20.927Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-28346

Vulnerability from cvelistv5

Published

2022-04-12 00:00

Modified

2025-02-13 16:32

Severity ?

Summary

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.0/releases/security/
	http://www.openwall.com/lists/oss-security/2022/04/11/1
	https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
	https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html	mailing-list
	https://security.netapp.com/advisory/ntap-20220609-0002/
	https://www.debian.org/security/2022/dsa-5254	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/	vendor-advisory

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:56:14.796Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/04/11/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/apr/11/security-releases/"
          },
          {
            "name": "[debian-lts-announce] 20220414 [SECURITY] [DLA 2982-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220609-0002/"
          },
          {
            "name": "DSA-5254",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5254"
          },
          {
            "name": "FEDORA-2023-8fed428c5e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
          },
          {
            "name": "FEDORA-2023-a53ab7c969",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-28T03:06:20.960Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2022/04/11/1"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2022/apr/11/security-releases/"
        },
        {
          "name": "[debian-lts-announce] 20220414 [SECURITY] [DLA 2982-1] python-django security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220609-0002/"
        },
        {
          "name": "DSA-5254",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5254"
        },
        {
          "name": "FEDORA-2023-8fed428c5e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
        },
        {
          "name": "FEDORA-2023-a53ab7c969",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-28346",
    "datePublished": "2022-04-12T00:00:00.000Z",
    "dateReserved": "2022-04-02T00:00:00.000Z",
    "dateUpdated": "2025-02-13T16:32:33.638Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2016-2048

Vulnerability from cvelistv5

Published

2016-02-08 19:00

Modified

2024-08-05 23:17

Severity ?

Summary

Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.

References

▼	URL	Tags
	https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/82329	vdb-entry, x_refsource_BID
	http://www.securitytracker.com/id/1034894	vdb-entry, x_refsource_SECTRACK

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T23:17:50.372Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/"
          },
          {
            "name": "82329",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/82329"
          },
          {
            "name": "1034894",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1034894"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-02-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the \"Save as New\" option when editing objects and leveraging the \"change\" permission."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-11-25T19:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/"
        },
        {
          "name": "82329",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/82329"
        },
        {
          "name": "1034894",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1034894"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-2048",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the \"Save as New\" option when editing objects and leveraging the \"change\" permission."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/"
            },
            {
              "name": "82329",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/82329"
            },
            {
              "name": "1034894",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1034894"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2016-2048",
    "datePublished": "2016-02-08T19:00:00",
    "dateReserved": "2016-01-24T00:00:00",
    "dateUpdated": "2024-08-05T23:17:50.372Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2012-3444

Vulnerability from cvelistv5

Published

2012-07-31 17:00

Modified

2024-08-06 20:05

Severity ?

Summary

The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.

References

▼	URL	Tags
	http://www.openwall.com/lists/oss-security/2012/07/31/1	mailing-list, x_refsource_MLIST
	https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/	x_refsource_CONFIRM
	http://www.mandriva.com/security/advisories?name=MDVSA-2012:143	vendor-advisory, x_refsource_MANDRIVA
	http://www.ubuntu.com/usn/USN-1560-1	vendor-advisory, x_refsource_UBUNTU
	http://www.openwall.com/lists/oss-security/2012/07/31/2	mailing-list, x_refsource_MLIST
	http://www.debian.org/security/2012/dsa-2529	vendor-advisory, x_refsource_DEBIAN

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T20:05:12.482Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[oss-security] 20120730 CVE Request: Django 1.3.1 and 1.4.0 security issues",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2012/07/31/1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/"
          },
          {
            "name": "MDVSA-2012:143",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2012:143"
          },
          {
            "name": "USN-1560-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-1560-1"
          },
          {
            "name": "[oss-security] 20120730 Re: CVE Request: Django 1.3.1 and 1.4.0 security issues",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2012/07/31/2"
          },
          {
            "name": "DSA-2529",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2012/dsa-2529"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2012-07-30T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2012-09-29T09:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "[oss-security] 20120730 CVE Request: Django 1.3.1 and 1.4.0 security issues",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2012/07/31/1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/"
        },
        {
          "name": "MDVSA-2012:143",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2012:143"
        },
        {
          "name": "USN-1560-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-1560-1"
        },
        {
          "name": "[oss-security] 20120730 Re: CVE Request: Django 1.3.1 and 1.4.0 security issues",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2012/07/31/2"
        },
        {
          "name": "DSA-2529",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2012/dsa-2529"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2012-3444",
    "datePublished": "2012-07-31T17:00:00",
    "dateReserved": "2012-06-14T00:00:00",
    "dateUpdated": "2024-08-06T20:05:12.482Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2015-2316

Vulnerability from cvelistv5

Published

2015-03-25 14:00

Modified

2024-08-06 05:10

Severity ?

Summary

The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.

References

▼	URL	Tags
	http://www.ubuntu.com/usn/USN-2539-1	vendor-advisory, x_refsource_UBUNTU
	http://www.securityfocus.com/bid/73322	vdb-entry, x_refsource_BID
	http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.html	vendor-advisory, x_refsource_FEDORA
	http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html	x_refsource_CONFIRM
	http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html	vendor-advisory, x_refsource_SUSE
	https://www.djangoproject.com/weblog/2015/mar/18/security-releases/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T05:10:16.424Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-2539-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2539-1"
          },
          {
            "name": "73322",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/73322"
          },
          {
            "name": "FEDORA-2015-5766",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html"
          },
          {
            "name": "openSUSE-SU-2015:0643",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2015/mar/18/security-releases/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-03-18T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-11-30T18:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "USN-2539-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2539-1"
        },
        {
          "name": "73322",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/73322"
        },
        {
          "name": "FEDORA-2015-5766",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html"
        },
        {
          "name": "openSUSE-SU-2015:0643",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2015/mar/18/security-releases/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-2316",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-2539-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2539-1"
            },
            {
              "name": "73322",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/73322"
            },
            {
              "name": "FEDORA-2015-5766",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.html"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html"
            },
            {
              "name": "openSUSE-SU-2015:0643",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2015/mar/18/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2015/mar/18/security-releases/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-2316",
    "datePublished": "2015-03-25T14:00:00",
    "dateReserved": "2015-03-17T00:00:00",
    "dateUpdated": "2024-08-06T05:10:16.424Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-45115

Vulnerability from cvelistv5

Published

2022-01-04 23:16

Modified

2024-08-04 04:39

Severity ?

Summary

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce	x_refsource_MISC
	https://docs.djangoproject.com/en/4.0/releases/security/	x_refsource_MISC
	https://www.djangoproject.com/weblog/2022/jan/04/security-releases/	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-20220121-0005/	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/	vendor-advisory, x_refsource_FEDORA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:39:20.303Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"
          },
          {
            "name": "FEDORA-2022-e7fd530688",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-11T02:06:36",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"
        },
        {
          "name": "FEDORA-2022-e7fd530688",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-45115",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/forum/#!forum/django-announce",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!forum/django-announce"
            },
            {
              "name": "https://docs.djangoproject.com/en/4.0/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220121-0005/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"
            },
            {
              "name": "FEDORA-2022-e7fd530688",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-45115",
    "datePublished": "2022-01-04T23:16:00",
    "dateReserved": "2021-12-16T00:00:00",
    "dateUpdated": "2024-08-04T04:39:20.303Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2014-0472

Vulnerability from cvelistv5

Published

2014-04-23 14:00

Modified

2024-08-06 09:20

Severity ?

Summary

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."

References

▼	URL	Tags
	http://www.ubuntu.com/usn/USN-2169-1	vendor-advisory, x_refsource_UBUNTU
	https://www.djangoproject.com/weblog/2014/apr/21/security/	x_refsource_CONFIRM
	http://rhn.redhat.com/errata/RHSA-2014-0457.html	vendor-advisory, x_refsource_REDHAT
	http://secunia.com/advisories/61281	third-party-advisory, x_refsource_SECUNIA
	http://www.debian.org/security/2014/dsa-2934	vendor-advisory, x_refsource_DEBIAN
	http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html	vendor-advisory, x_refsource_SUSE
	http://rhn.redhat.com/errata/RHSA-2014-0456.html	vendor-advisory, x_refsource_REDHAT

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T09:20:17.941Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-2169-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2169-1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2014/apr/21/security/"
          },
          {
            "name": "RHSA-2014:0457",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html"
          },
          {
            "name": "61281",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/61281"
          },
          {
            "name": "DSA-2934",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2014/dsa-2934"
          },
          {
            "name": "openSUSE-SU-2014:1132",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
          },
          {
            "name": "RHSA-2014:0456",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0456.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-04-21T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a \"dotted Python path.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-01-04T17:57:01",
        "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
        "shortName": "debian"
      },
      "references": [
        {
          "name": "USN-2169-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2169-1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2014/apr/21/security/"
        },
        {
          "name": "RHSA-2014:0457",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html"
        },
        {
          "name": "61281",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/61281"
        },
        {
          "name": "DSA-2934",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2014/dsa-2934"
        },
        {
          "name": "openSUSE-SU-2014:1132",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
        },
        {
          "name": "RHSA-2014:0456",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2014-0456.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@debian.org",
          "ID": "CVE-2014-0472",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a \"dotted Python path.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-2169-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2169-1"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2014/apr/21/security/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2014/apr/21/security/"
            },
            {
              "name": "RHSA-2014:0457",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html"
            },
            {
              "name": "61281",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/61281"
            },
            {
              "name": "DSA-2934",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2014/dsa-2934"
            },
            {
              "name": "openSUSE-SU-2014:1132",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
            },
            {
              "name": "RHSA-2014:0456",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0456.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
    "assignerShortName": "debian",
    "cveId": "CVE-2014-0472",
    "datePublished": "2014-04-23T14:00:00",
    "dateReserved": "2013-12-19T00:00:00",
    "dateUpdated": "2024-08-06T09:20:17.941Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-23336

Vulnerability from cvelistv5

Published

2021-02-15 12:15

Modified

2024-09-16 18:55

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H/E:P/RL:U/RC:C

Summary

Web Cache Poisoning

References

▼	URL	Tags
	https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933
	https://github.com/python/cpython/pull/24297
	https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/
	http://www.openwall.com/lists/oss-security/2021/02/19/4	mailing-list
	https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html	mailing-list
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/	vendor-advisory
	https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E	mailing-list
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html	mailing-list
	https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html	mailing-list
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/	vendor-advisory
	https://security.gentoo.org/glsa/202104-04	vendor-advisory
	https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E	mailing-list
	http://www.openwall.com/lists/oss-security/2021/05/01/2	mailing-list
	https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E	mailing-list
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/	vendor-advisory
	https://www.oracle.com/security-alerts/cpuApr2021.html
	https://security.netapp.com/advisory/ntap-20210326-0004/
	https://www.oracle.com//security-alerts/cpujul2021.html
	https://www.oracle.com/security-alerts/cpuoct2021.html
	https://www.oracle.com/security-alerts/cpujan2022.html
	https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html	mailing-list

Impacted products

▼	Vendor	Product
	n/a	python/cpython

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:05:55.612Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/python/cpython/pull/24297"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/"
          },
          {
            "name": "[oss-security] 20210219 Django security releases: CVE-2021-23336: Web cache poisoning via ``django.utils.http.limited_parse_qsl()``",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/02/19/4"
          },
          {
            "name": "[debian-lts-announce] 20210219 [SECURITY] [DLA 2569-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html"
          },
          {
            "name": "FEDORA-2021-7547ad987f",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/"
          },
          {
            "name": "FEDORA-2021-f4fd9372c7",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/"
          },
          {
            "name": "FEDORA-2021-3352c1c802",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/"
          },
          {
            "name": "FEDORA-2021-7d3a9004e2",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/"
          },
          {
            "name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"
          },
          {
            "name": "FEDORA-2021-907f3bacae",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/"
          },
          {
            "name": "FEDORA-2021-7c1bb32d13",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/"
          },
          {
            "name": "FEDORA-2021-b1843407ca",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/"
          },
          {
            "name": "FEDORA-2021-2897f5366c",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/"
          },
          {
            "name": "FEDORA-2021-b326fcb83f",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/"
          },
          {
            "name": "FEDORA-2021-1bb399a5af",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/"
          },
          {
            "name": "FEDORA-2021-ef83e8525a",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/"
          },
          {
            "name": "FEDORA-2021-b76ede8f4d",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/"
          },
          {
            "name": "FEDORA-2021-309bc2e727",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/"
          },
          {
            "name": "FEDORA-2021-5a09621ebb",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/"
          },
          {
            "name": "FEDORA-2021-e22bb0e548",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/"
          },
          {
            "name": "FEDORA-2021-e525e48886",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/"
          },
          {
            "name": "[debian-lts-announce] 20210405 [SECURITY] [DLA 2619-1] python3.5 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html"
          },
          {
            "name": "[debian-lts-announce] 20210417 [SECURITY] [DLA 2628-1] python2.7 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html"
          },
          {
            "name": "FEDORA-2021-b6b6093b3a",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/"
          },
          {
            "name": "GLSA-202104-04",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202104-04"
          },
          {
            "name": "[airflow-users] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E"
          },
          {
            "name": "[oss-security] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
          },
          {
            "name": "[announce] 20210501 Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E"
          },
          {
            "name": "FEDORA-2021-98720f3785",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/"
          },
          {
            "name": "FEDORA-2021-12df7f7382",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210326-0004/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "name": "[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "python/cpython",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.6.13",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "3.7.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.7.10",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "3.8.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.8.8",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "3.9.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.9.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Snyk Security Team"
        }
      ],
      "datePublic": "2021-02-15T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "exploitCodeMaturity": "PROOF_OF_CONCEPT",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "remediationLevel": "UNAVAILABLE",
            "reportConfidence": "CONFIRMED",
            "scope": "UNCHANGED",
            "temporalScore": 5.6,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H/E:P/RL:U/RC:C",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Web Cache Poisoning",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-20T21:06:13.958312",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "url": "https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933"
        },
        {
          "url": "https://github.com/python/cpython/pull/24297"
        },
        {
          "url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/"
        },
        {
          "name": "[oss-security] 20210219 Django security releases: CVE-2021-23336: Web cache poisoning via ``django.utils.http.limited_parse_qsl()``",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/02/19/4"
        },
        {
          "name": "[debian-lts-announce] 20210219 [SECURITY] [DLA 2569-1] python-django security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html"
        },
        {
          "name": "FEDORA-2021-7547ad987f",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/"
        },
        {
          "name": "FEDORA-2021-f4fd9372c7",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/"
        },
        {
          "name": "FEDORA-2021-3352c1c802",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/"
        },
        {
          "name": "FEDORA-2021-7d3a9004e2",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/"
        },
        {
          "name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"
        },
        {
          "name": "FEDORA-2021-907f3bacae",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/"
        },
        {
          "name": "FEDORA-2021-7c1bb32d13",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/"
        },
        {
          "name": "FEDORA-2021-b1843407ca",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/"
        },
        {
          "name": "FEDORA-2021-2897f5366c",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/"
        },
        {
          "name": "FEDORA-2021-b326fcb83f",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/"
        },
        {
          "name": "FEDORA-2021-1bb399a5af",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/"
        },
        {
          "name": "FEDORA-2021-ef83e8525a",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/"
        },
        {
          "name": "FEDORA-2021-b76ede8f4d",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/"
        },
        {
          "name": "FEDORA-2021-309bc2e727",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/"
        },
        {
          "name": "FEDORA-2021-5a09621ebb",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/"
        },
        {
          "name": "FEDORA-2021-e22bb0e548",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/"
        },
        {
          "name": "FEDORA-2021-e525e48886",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/"
        },
        {
          "name": "[debian-lts-announce] 20210405 [SECURITY] [DLA 2619-1] python3.5 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html"
        },
        {
          "name": "[debian-lts-announce] 20210417 [SECURITY] [DLA 2628-1] python2.7 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html"
        },
        {
          "name": "FEDORA-2021-b6b6093b3a",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/"
        },
        {
          "name": "GLSA-202104-04",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202104-04"
        },
        {
          "name": "[airflow-users] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E"
        },
        {
          "name": "[oss-security] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
        },
        {
          "name": "[announce] 20210501 Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E"
        },
        {
          "name": "FEDORA-2021-98720f3785",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/"
        },
        {
          "name": "FEDORA-2021-12df7f7382",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20210326-0004/"
        },
        {
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "name": "[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"
        }
      ],
      "title": "Web Cache Poisoning"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2021-23336",
    "datePublished": "2021-02-15T12:15:20.788790Z",
    "dateReserved": "2021-01-08T00:00:00",
    "dateUpdated": "2024-09-16T18:55:19.315Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-23833

Vulnerability from cvelistv5

Published

2022-02-03 00:00

Modified

2024-08-03 03:51

Severity ?

Summary

An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.0/releases/security/
	https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/	vendor-advisory
	https://security.netapp.com/advisory/ntap-20220221-0003/
	https://www.debian.org/security/2022/dsa-5254	vendor-advisory
	https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a
	https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468
	https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:51:46.008Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"
          },
          {
            "name": "FEDORA-2022-e7fd530688",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220221-0003/"
          },
          {
            "name": "DSA-5254",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5254"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-22T23:04:35.819653",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"
        },
        {
          "name": "FEDORA-2022-e7fd530688",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220221-0003/"
        },
        {
          "name": "DSA-5254",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5254"
        },
        {
          "url": "https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a"
        },
        {
          "url": "https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468"
        },
        {
          "url": "https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-23833",
    "datePublished": "2022-02-03T00:00:00",
    "dateReserved": "2022-01-21T00:00:00",
    "dateUpdated": "2024-08-03T03:51:46.008Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-36053

Vulnerability from cvelistv5

Published

2023-07-03 00:00

Modified

2024-08-02 16:37

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.2/releases/security/
	https://www.djangoproject.com/weblog/2023/jul/03/security-releases/
	https://lists.debian.org/debian-lts-announce/2023/07/msg00022.html	mailing-list
	https://www.debian.org/security/2023/dsa-5465	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/	vendor-advisory

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "debian_linux",
            "vendor": "debian",
            "versions": [
              {
                "status": "affected",
                "version": "10.0"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "fedora",
            "vendor": "fedoraproject",
            "versions": [
              {
                "status": "affected",
                "version": "37"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "django",
            "vendor": "djangoproject",
            "versions": [
              {
                "status": "affected",
                "version": "*"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-36053",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-22T16:03:28.124119Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1333",
                "description": "CWE-1333 Inefficient Regular Expression Complexity",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:25:43.436Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:37:41.341Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.2/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2023/jul/03/security-releases/"
          },
          {
            "name": "[debian-lts-announce] 20230719 [SECURITY] [DLA 3500-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00022.html"
          },
          {
            "name": "DSA-5465",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5465"
          },
          {
            "name": "FEDORA-2023-cc023fabb7",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS/"
          },
          {
            "name": "FEDORA-2023-9d36d373f1",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A/"
          },
          {
            "name": "FEDORA-2024-84fbbbb914",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-20T03:05:57.133777",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.2/releases/security/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2023/jul/03/security-releases/"
        },
        {
          "name": "[debian-lts-announce] 20230719 [SECURITY] [DLA 3500-1] python-django security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00022.html"
        },
        {
          "name": "DSA-5465",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2023/dsa-5465"
        },
        {
          "name": "FEDORA-2023-cc023fabb7",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS/"
        },
        {
          "name": "FEDORA-2023-9d36d373f1",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A/"
        },
        {
          "name": "FEDORA-2024-84fbbbb914",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-36053",
    "datePublished": "2023-07-03T00:00:00",
    "dateReserved": "2023-06-20T00:00:00",
    "dateUpdated": "2024-08-02T16:37:41.341Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-45230

Vulnerability from cvelistv5

Published

2024-10-08 00:00

Modified

2025-03-17 14:12

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/
	https://groups.google.com/forum/#%21forum/django-announce
	https://www.djangoproject.com/weblog/2024/sep/03/security-releases/

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "django",
            "vendor": "djangoproject",
            "versions": [
              {
                "lessThan": "5.1.1",
                "status": "affected",
                "version": "5.1",
                "versionType": "custom"
              },
              {
                "lessThan": "5.0.9",
                "status": "affected",
                "version": "5.0",
                "versionType": "custom"
              },
              {
                "lessThan": "4.2.16",
                "status": "affected",
                "version": "4.2",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-45230",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-30T16:30:05.616132Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-120",
                "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-17T14:12:05.808Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-08T15:05:33.553Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2024/sep/03/security-releases/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-45230",
    "datePublished": "2024-10-08T00:00:00.000Z",
    "dateReserved": "2024-08-24T00:00:00.000Z",
    "dateUpdated": "2025-03-17T14:12:05.808Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2011-0697

Vulnerability from cvelistv5

Published

2011-02-14 20:00

Modified

2024-08-06 21:58

Severity ?

Summary

Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.

References

▼	URL	Tags
	http://secunia.com/advisories/43297	third-party-advisory, x_refsource_SECUNIA
	http://secunia.com/advisories/43382	third-party-advisory, x_refsource_SECUNIA
	http://www.vupen.com/english/advisories/2011/0439	vdb-entry, x_refsource_VUPEN
	http://www.vupen.com/english/advisories/2011/0429	vdb-entry, x_refsource_VUPEN
	http://openwall.com/lists/oss-security/2011/02/09/6	mailing-list, x_refsource_MLIST
	http://secunia.com/advisories/43230	third-party-advisory, x_refsource_SECUNIA
	http://secunia.com/advisories/43426	third-party-advisory, x_refsource_SECUNIA
	https://bugzilla.redhat.com/show_bug.cgi?id=676359	x_refsource_CONFIRM
	http://www.vupen.com/english/advisories/2011/0372	vdb-entry, x_refsource_VUPEN
	http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054207.html	vendor-advisory, x_refsource_FEDORA
	http://www.vupen.com/english/advisories/2011/0441	vdb-entry, x_refsource_VUPEN
	http://www.ubuntu.com/usn/USN-1066-1	vendor-advisory, x_refsource_UBUNTU
	http://www.securityfocus.com/bid/46296	vdb-entry, x_refsource_BID
	http://www.mandriva.com/security/advisories?name=MDVSA-2011:031	vendor-advisory, x_refsource_MANDRIVA
	http://www.debian.org/security/2011/dsa-2163	vendor-advisory, x_refsource_DEBIAN
	http://www.djangoproject.com/weblog/2011/feb/08/security/	x_refsource_CONFIRM
	http://www.vupen.com/english/advisories/2011/0388	vdb-entry, x_refsource_VUPEN
	http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054208.html	vendor-advisory, x_refsource_FEDORA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T21:58:26.093Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "43297",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/43297"
          },
          {
            "name": "43382",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/43382"
          },
          {
            "name": "ADV-2011-0439",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/0439"
          },
          {
            "name": "ADV-2011-0429",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/0429"
          },
          {
            "name": "[oss-security] 20110209 Django multiple flaws (CVEs inside)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2011/02/09/6"
          },
          {
            "name": "43230",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/43230"
          },
          {
            "name": "43426",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/43426"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=676359"
          },
          {
            "name": "ADV-2011-0372",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/0372"
          },
          {
            "name": "FEDORA-2011-1261",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054207.html"
          },
          {
            "name": "ADV-2011-0441",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/0441"
          },
          {
            "name": "USN-1066-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-1066-1"
          },
          {
            "name": "46296",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/46296"
          },
          {
            "name": "MDVSA-2011:031",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:031"
          },
          {
            "name": "DSA-2163",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2011/dsa-2163"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.djangoproject.com/weblog/2011/feb/08/security/"
          },
          {
            "name": "ADV-2011-0388",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/0388"
          },
          {
            "name": "FEDORA-2011-1235",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054208.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2011-02-08T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2011-02-23T10:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "43297",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/43297"
        },
        {
          "name": "43382",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/43382"
        },
        {
          "name": "ADV-2011-0439",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/0439"
        },
        {
          "name": "ADV-2011-0429",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/0429"
        },
        {
          "name": "[oss-security] 20110209 Django multiple flaws (CVEs inside)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2011/02/09/6"
        },
        {
          "name": "43230",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/43230"
        },
        {
          "name": "43426",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/43426"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=676359"
        },
        {
          "name": "ADV-2011-0372",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/0372"
        },
        {
          "name": "FEDORA-2011-1261",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054207.html"
        },
        {
          "name": "ADV-2011-0441",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/0441"
        },
        {
          "name": "USN-1066-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-1066-1"
        },
        {
          "name": "46296",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/46296"
        },
        {
          "name": "MDVSA-2011:031",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:031"
        },
        {
          "name": "DSA-2163",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2011/dsa-2163"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.djangoproject.com/weblog/2011/feb/08/security/"
        },
        {
          "name": "ADV-2011-0388",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/0388"
        },
        {
          "name": "FEDORA-2011-1235",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054208.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2011-0697",
    "datePublished": "2011-02-14T20:00:00",
    "dateReserved": "2011-01-31T00:00:00",
    "dateUpdated": "2024-08-06T21:58:26.093Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2013-6044

Vulnerability from cvelistv5

Published

2013-10-04 17:00

Modified

2024-08-06 17:29

Severity ?

Summary

The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/61777	vdb-entry, x_refsource_BID
	http://www.securitytracker.com/id/1028915	vdb-entry, x_refsource_SECTRACK
	http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html	vendor-advisory, x_refsource_SUSE
	https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a	x_refsource_CONFIRM
	http://secunia.com/advisories/54476	third-party-advisory, x_refsource_SECUNIA
	http://rhn.redhat.com/errata/RHSA-2013-1521.html	vendor-advisory, x_refsource_REDHAT
	http://seclists.org/oss-sec/2013/q3/369	mailing-list, x_refsource_MLIST
	https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued	x_refsource_CONFIRM
	https://exchange.xforce.ibmcloud.com/vulnerabilities/86437	vdb-entry, x_refsource_XF
	https://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762	x_refsource_CONFIRM
	https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f	x_refsource_CONFIRM
	http://seclists.org/oss-sec/2013/q3/411	mailing-list, x_refsource_MLIST
	http://www.debian.org/security/2013/dsa-2740	vendor-advisory, x_refsource_DEBIAN

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T17:29:43.070Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "61777",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/61777"
          },
          {
            "name": "1028915",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1028915"
          },
          {
            "name": "openSUSE-SU-2013:1541",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a"
          },
          {
            "name": "54476",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/54476"
          },
          {
            "name": "RHSA-2013:1521",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2013-1521.html"
          },
          {
            "name": "[oss-security] 20130814 [CVE request] Django 1.4.6 security release",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://seclists.org/oss-sec/2013/q3/369"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued"
          },
          {
            "name": "django-issafeurl-xss(86437)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86437"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f"
          },
          {
            "name": "[oss-security] 20130819 Re: [CVE request] Django 1.4.6 security release",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://seclists.org/oss-sec/2013/q3/411"
          },
          {
            "name": "DSA-2740",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2013/dsa-2740"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2013-08-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL\u0027s scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by \"the login view in django.contrib.auth.views\" and the javascript: scheme."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-11-16T19:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "61777",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/61777"
        },
        {
          "name": "1028915",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1028915"
        },
        {
          "name": "openSUSE-SU-2013:1541",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a"
        },
        {
          "name": "54476",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/54476"
        },
        {
          "name": "RHSA-2013:1521",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2013-1521.html"
        },
        {
          "name": "[oss-security] 20130814 [CVE request] Django 1.4.6 security release",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://seclists.org/oss-sec/2013/q3/369"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued"
        },
        {
          "name": "django-issafeurl-xss(86437)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86437"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f"
        },
        {
          "name": "[oss-security] 20130819 Re: [CVE request] Django 1.4.6 security release",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://seclists.org/oss-sec/2013/q3/411"
        },
        {
          "name": "DSA-2740",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2013/dsa-2740"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2013-6044",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL\u0027s scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by \"the login view in django.contrib.auth.views\" and the javascript: scheme."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "61777",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/61777"
            },
            {
              "name": "1028915",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1028915"
            },
            {
              "name": "openSUSE-SU-2013:1541",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html"
            },
            {
              "name": "https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a",
              "refsource": "CONFIRM",
              "url": "https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a"
            },
            {
              "name": "54476",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/54476"
            },
            {
              "name": "RHSA-2013:1521",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2013-1521.html"
            },
            {
              "name": "[oss-security] 20130814 [CVE request] Django 1.4.6 security release",
              "refsource": "MLIST",
              "url": "http://seclists.org/oss-sec/2013/q3/369"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued"
            },
            {
              "name": "django-issafeurl-xss(86437)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86437"
            },
            {
              "name": "https://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762",
              "refsource": "CONFIRM",
              "url": "https://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762"
            },
            {
              "name": "https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f",
              "refsource": "CONFIRM",
              "url": "https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f"
            },
            {
              "name": "[oss-security] 20130819 Re: [CVE request] Django 1.4.6 security release",
              "refsource": "MLIST",
              "url": "http://seclists.org/oss-sec/2013/q3/411"
            },
            {
              "name": "DSA-2740",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2013/dsa-2740"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2013-6044",
    "datePublished": "2013-10-04T17:00:00",
    "dateReserved": "2013-10-04T00:00:00",
    "dateUpdated": "2024-08-06T17:29:43.070Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2019-6975

Vulnerability from cvelistv5

Published

2019-02-11 13:00

Modified

2024-08-04 20:38

Severity ?

Summary

Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.

References

▼	URL	Tags
	https://www.djangoproject.com/weblog/2019/feb/11/security-releases/	x_refsource_MISC
	https://docs.djangoproject.com/en/dev/releases/security/	x_refsource_MISC
	http://www.securityfocus.com/bid/106964	vdb-entry, x_refsource_BID
	https://usn.ubuntu.com/3890-1/	vendor-advisory, x_refsource_UBUNTU
	https://www.openwall.com/lists/oss-security/2019/02/11/1	x_refsource_MISC
	https://groups.google.com/forum/#%21topic/django-announce/WTwEAprR0IQ	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/66WMXHGBXD7GSM3PEXVCMCAGLMQYHZCU/	vendor-advisory, x_refsource_FEDORA
	https://www.debian.org/security/2019/dsa-4476	vendor-advisory, x_refsource_DEBIAN
	https://seclists.org/bugtraq/2019/Jul/10	mailing-list, x_refsource_BUGTRAQ

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T20:38:32.322Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2019/feb/11/security-releases/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/dev/releases/security/"
          },
          {
            "name": "106964",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/106964"
          },
          {
            "name": "USN-3890-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3890-1/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2019/02/11/1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/django-announce/WTwEAprR0IQ"
          },
          {
            "name": "FEDORA-2019-5ad2149e99",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/"
          },
          {
            "name": "FEDORA-2019-f528d75a69",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/66WMXHGBXD7GSM3PEXVCMCAGLMQYHZCU/"
          },
          {
            "name": "DSA-4476",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4476"
          },
          {
            "name": "20190708 [SECURITY] [DSA 4476-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Jul/10"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2019-02-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-07-08T14:06:13",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.djangoproject.com/weblog/2019/feb/11/security-releases/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "106964",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/106964"
        },
        {
          "name": "USN-3890-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3890-1/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.openwall.com/lists/oss-security/2019/02/11/1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21topic/django-announce/WTwEAprR0IQ"
        },
        {
          "name": "FEDORA-2019-5ad2149e99",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/"
        },
        {
          "name": "FEDORA-2019-f528d75a69",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/66WMXHGBXD7GSM3PEXVCMCAGLMQYHZCU/"
        },
        {
          "name": "DSA-4476",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4476"
        },
        {
          "name": "20190708 [SECURITY] [DSA 4476-1] python-django security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Jul/10"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-6975",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.djangoproject.com/weblog/2019/feb/11/security-releases/",
              "refsource": "MISC",
              "url": "https://www.djangoproject.com/weblog/2019/feb/11/security-releases/"
            },
            {
              "name": "https://docs.djangoproject.com/en/dev/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "106964",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/106964"
            },
            {
              "name": "USN-3890-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3890-1/"
            },
            {
              "name": "https://www.openwall.com/lists/oss-security/2019/02/11/1",
              "refsource": "MISC",
              "url": "https://www.openwall.com/lists/oss-security/2019/02/11/1"
            },
            {
              "name": "https://groups.google.com/forum/#!topic/django-announce/WTwEAprR0IQ",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!topic/django-announce/WTwEAprR0IQ"
            },
            {
              "name": "FEDORA-2019-5ad2149e99",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/"
            },
            {
              "name": "FEDORA-2019-f528d75a69",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66WMXHGBXD7GSM3PEXVCMCAGLMQYHZCU/"
            },
            {
              "name": "DSA-4476",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4476"
            },
            {
              "name": "20190708 [SECURITY] [DSA 4476-1] python-django security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Jul/10"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-6975",
    "datePublished": "2019-02-11T13:00:00",
    "dateReserved": "2019-01-26T00:00:00",
    "dateUpdated": "2024-08-04T20:38:32.322Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-45452

Vulnerability from cvelistv5

Published

2022-01-04 23:09

Modified

2024-08-04 04:39

Severity ?

Summary

Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce	x_refsource_MISC
	https://docs.djangoproject.com/en/4.0/releases/security/	x_refsource_MISC
	https://www.djangoproject.com/weblog/2022/jan/04/security-releases/	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-20220121-0005/	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/	vendor-advisory, x_refsource_FEDORA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:39:21.126Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"
          },
          {
            "name": "FEDORA-2022-e7fd530688",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-11T02:06:30",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"
        },
        {
          "name": "FEDORA-2022-e7fd530688",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-45452",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/forum/#!forum/django-announce",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!forum/django-announce"
            },
            {
              "name": "https://docs.djangoproject.com/en/4.0/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220121-0005/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"
            },
            {
              "name": "FEDORA-2022-e7fd530688",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-45452",
    "datePublished": "2022-01-04T23:09:40",
    "dateReserved": "2021-12-21T00:00:00",
    "dateUpdated": "2024-08-04T04:39:21.126Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2014-0481

Vulnerability from cvelistv5

Published

2014-08-26 14:00

Modified

2024-08-06 09:20

Severity ?

Summary

The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name.

References

▼	URL	Tags
	https://www.djangoproject.com/weblog/2014/aug/20/security/	x_refsource_CONFIRM
	http://secunia.com/advisories/61276	third-party-advisory, x_refsource_SECUNIA
	http://secunia.com/advisories/61281	third-party-advisory, x_refsource_SECUNIA
	http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html	vendor-advisory, x_refsource_SUSE
	http://www.debian.org/security/2014/dsa-3010	vendor-advisory, x_refsource_DEBIAN
	http://secunia.com/advisories/59782	third-party-advisory, x_refsource_SECUNIA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T09:20:18.410Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2014/aug/20/security/"
          },
          {
            "name": "61276",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/61276"
          },
          {
            "name": "61281",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/61281"
          },
          {
            "name": "openSUSE-SU-2014:1132",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
          },
          {
            "name": "DSA-3010",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2014/dsa-3010"
          },
          {
            "name": "59782",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/59782"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-08-20T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-01-04T17:57:01",
        "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
        "shortName": "debian"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2014/aug/20/security/"
        },
        {
          "name": "61276",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/61276"
        },
        {
          "name": "61281",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/61281"
        },
        {
          "name": "openSUSE-SU-2014:1132",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
        },
        {
          "name": "DSA-3010",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2014/dsa-3010"
        },
        {
          "name": "59782",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/59782"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@debian.org",
          "ID": "CVE-2014-0481",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.djangoproject.com/weblog/2014/aug/20/security/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2014/aug/20/security/"
            },
            {
              "name": "61276",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/61276"
            },
            {
              "name": "61281",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/61281"
            },
            {
              "name": "openSUSE-SU-2014:1132",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
            },
            {
              "name": "DSA-3010",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2014/dsa-3010"
            },
            {
              "name": "59782",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/59782"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
    "assignerShortName": "debian",
    "cveId": "CVE-2014-0481",
    "datePublished": "2014-08-26T14:00:00",
    "dateReserved": "2013-12-19T00:00:00",
    "dateUpdated": "2024-08-06T09:20:18.410Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2025-26699

Vulnerability from cvelistv5

Published

2025-03-06 00:00

Modified

2025-03-19 20:03

Severity ?

5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

Summary

An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/
	https://groups.google.com/g/django-announce
	https://www.djangoproject.com/weblog/2025/mar/06/security-releases/

Impacted products

▼	Vendor	Product
	djangoproject	Django

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-03-19T20:03:03.946Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/03/06/12"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00012.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-26699",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-06T20:30:28.270345Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-06T20:30:47.224Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Django",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "4.2.20",
              "status": "affected",
              "version": "4.2",
              "versionType": "custom"
            },
            {
              "lessThan": "5.0.13",
              "status": "affected",
              "version": "5.0",
              "versionType": "custom"
            },
            {
              "lessThan": "5.1.7",
              "status": "affected",
              "version": "5.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.2.20",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.0.13",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.1.7",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-06T18:45:09.686Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2025/mar/06/security-releases/"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-26699",
    "datePublished": "2025-03-06T00:00:00.000Z",
    "dateReserved": "2025-02-14T00:00:00.000Z",
    "dateUpdated": "2025-03-19T20:03:03.946Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2011-4137

Vulnerability from cvelistv5

Published

2011-10-19 10:00

Modified

2024-08-07 00:01

Severity ?

Summary

The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.

References

▼	URL	Tags
	http://openwall.com/lists/oss-security/2011/09/15/5	mailing-list, x_refsource_MLIST
	https://hermes.opensuse.org/messages/14700881	vendor-advisory, x_refsource_SUSE
	http://www.debian.org/security/2011/dsa-2332	vendor-advisory, x_refsource_DEBIAN
	https://bugzilla.redhat.com/show_bug.cgi?id=737366	x_refsource_CONFIRM
	http://secunia.com/advisories/46614	third-party-advisory, x_refsource_SECUNIA
	http://openwall.com/lists/oss-security/2011/09/11/1	mailing-list, x_refsource_MLIST
	https://www.djangoproject.com/weblog/2011/sep/10/127/	x_refsource_CONFIRM
	http://openwall.com/lists/oss-security/2011/09/13/2	mailing-list, x_refsource_MLIST
	https://www.djangoproject.com/weblog/2011/sep/09/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T00:01:50.805Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[oss-security] 20110916 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2011/09/15/5"
          },
          {
            "name": "openSUSE-SU-2012:0653",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "https://hermes.opensuse.org/messages/14700881"
          },
          {
            "name": "DSA-2332",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2011/dsa-2332"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=737366"
          },
          {
            "name": "46614",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/46614"
          },
          {
            "name": "[oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2011/09/11/1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2011/sep/10/127/"
          },
          {
            "name": "[oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2011/09/13/2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2011/sep/09/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2011-09-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-17T19:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "[oss-security] 20110916 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2011/09/15/5"
        },
        {
          "name": "openSUSE-SU-2012:0653",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "https://hermes.opensuse.org/messages/14700881"
        },
        {
          "name": "DSA-2332",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2011/dsa-2332"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=737366"
        },
        {
          "name": "46614",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/46614"
        },
        {
          "name": "[oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2011/09/11/1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2011/sep/10/127/"
        },
        {
          "name": "[oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2011/09/13/2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2011/sep/09/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2011-4137",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[oss-security] 20110916 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
              "refsource": "MLIST",
              "url": "http://openwall.com/lists/oss-security/2011/09/15/5"
            },
            {
              "name": "openSUSE-SU-2012:0653",
              "refsource": "SUSE",
              "url": "https://hermes.opensuse.org/messages/14700881"
            },
            {
              "name": "DSA-2332",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2011/dsa-2332"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=737366",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=737366"
            },
            {
              "name": "46614",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/46614"
            },
            {
              "name": "[oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
              "refsource": "MLIST",
              "url": "http://openwall.com/lists/oss-security/2011/09/11/1"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2011/sep/10/127/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2011/sep/10/127/"
            },
            {
              "name": "[oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
              "refsource": "MLIST",
              "url": "http://openwall.com/lists/oss-security/2011/09/13/2"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2011/sep/09/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2011/sep/09/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2011-4137",
    "datePublished": "2011-10-19T10:00:00",
    "dateReserved": "2011-10-19T00:00:00",
    "dateUpdated": "2024-08-07T00:01:50.805Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2019-19844

Vulnerability from cvelistv5

Published

2019-12-18 18:07

Modified

2024-08-05 02:25

Severity ?

Summary

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/	x_refsource_MISC
	https://groups.google.com/forum/#%21topic/django-announce/3oaB2rVH3a0	x_refsource_MISC
	https://www.djangoproject.com/weblog/2019/dec/18/security-releases/	x_refsource_CONFIRM
	https://usn.ubuntu.com/4224-1/	vendor-advisory, x_refsource_UBUNTU
	https://www.debian.org/security/2020/dsa-4598	vendor-advisory, x_refsource_DEBIAN
	https://seclists.org/bugtraq/2020/Jan/9	mailing-list, x_refsource_BUGTRAQ
	http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20200110-0003/	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/	vendor-advisory, x_refsource_FEDORA
	https://security.gentoo.org/glsa/202004-17	vendor-advisory, x_refsource_GENTOO

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T02:25:12.834Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/dev/releases/security/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/django-announce/3oaB2rVH3a0"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2019/dec/18/security-releases/"
          },
          {
            "name": "USN-4224-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4224-1/"
          },
          {
            "name": "DSA-4598",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4598"
          },
          {
            "name": "20200108 [SECURITY] [DSA 4598-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2020/Jan/9"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200110-0003/"
          },
          {
            "name": "FEDORA-2020-adb4f0143a",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/"
          },
          {
            "name": "GLSA-202004-17",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202004-17"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user\u0027s email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-05-01T01:06:13",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21topic/django-announce/3oaB2rVH3a0"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2019/dec/18/security-releases/"
        },
        {
          "name": "USN-4224-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4224-1/"
        },
        {
          "name": "DSA-4598",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4598"
        },
        {
          "name": "20200108 [SECURITY] [DSA 4598-1] python-django security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2020/Jan/9"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20200110-0003/"
        },
        {
          "name": "FEDORA-2020-adb4f0143a",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/"
        },
        {
          "name": "GLSA-202004-17",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202004-17"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-19844",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user\u0027s email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.djangoproject.com/en/dev/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "https://groups.google.com/forum/#!topic/django-announce/3oaB2rVH3a0",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!topic/django-announce/3oaB2rVH3a0"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2019/dec/18/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2019/dec/18/security-releases/"
            },
            {
              "name": "USN-4224-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4224-1/"
            },
            {
              "name": "DSA-4598",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4598"
            },
            {
              "name": "20200108 [SECURITY] [DSA 4598-1] python-django security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2020/Jan/9"
            },
            {
              "name": "http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20200110-0003/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20200110-0003/"
            },
            {
              "name": "FEDORA-2020-adb4f0143a",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/"
            },
            {
              "name": "GLSA-202004-17",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202004-17"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-19844",
    "datePublished": "2019-12-18T18:07:11",
    "dateReserved": "2019-12-17T00:00:00",
    "dateUpdated": "2024-08-05T02:25:12.834Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2018-6188

Vulnerability from cvelistv5

Published

2018-02-05 03:00

Modified

2024-08-05 05:54

Severity ?

Summary

django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.

References

▼	URL	Tags
	https://usn.ubuntu.com/3559-1/	vendor-advisory, x_refsource_UBUNTU
	http://www.securitytracker.com/id/1040422	vdb-entry, x_refsource_SECTRACK
	https://www.djangoproject.com/weblog/2018/feb/01/security-releases/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T05:54:53.251Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-3559-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3559-1/"
          },
          {
            "name": "1040422",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1040422"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-02-04T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-03-15T09:57:02",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "USN-3559-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3559-1/"
        },
        {
          "name": "1040422",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1040422"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-6188",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-3559-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3559-1/"
            },
            {
              "name": "1040422",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1040422"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-6188",
    "datePublished": "2018-02-05T03:00:00",
    "dateReserved": "2018-01-24T00:00:00",
    "dateUpdated": "2024-08-05T05:54:53.251Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-24580

Vulnerability from cvelistv5

Published

2023-02-15 00:00

Modified

2025-03-18 19:24

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.1/releases/security/
	http://www.openwall.com/lists/oss-security/2023/02/14/1
	https://www.djangoproject.com/weblog/2023/feb/14/security-releases/
	https://lists.debian.org/debian-lts-announce/2023/02/msg00023.html	mailing-list
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/	vendor-advisory
	https://security.netapp.com/advisory/ntap-20230316-0006/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/	vendor-advisory

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:03:18.895Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.1/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/02/14/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2023/feb/14/security-releases/"
          },
          {
            "name": "[debian-lts-announce] 20230220 [SECURITY] [DLA 3329-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00023.html"
          },
          {
            "name": "FEDORA-2023-3d775d93be",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/"
          },
          {
            "name": "FEDORA-2023-bde7913e5a",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/"
          },
          {
            "name": "FEDORA-2023-a74513bda8",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230316-0006/"
          },
          {
            "name": "FEDORA-2023-8fed428c5e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
          },
          {
            "name": "FEDORA-2023-a53ab7c969",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-24580",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-18T19:24:08.191089Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-400",
                "description": "CWE-400 Uncontrolled Resource Consumption",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-18T19:24:32.509Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-28T03:06:17.641Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.1/releases/security/"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2023/02/14/1"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2023/feb/14/security-releases/"
        },
        {
          "name": "[debian-lts-announce] 20230220 [SECURITY] [DLA 3329-1] python-django security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00023.html"
        },
        {
          "name": "FEDORA-2023-3d775d93be",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/"
        },
        {
          "name": "FEDORA-2023-bde7913e5a",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/"
        },
        {
          "name": "FEDORA-2023-a74513bda8",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230316-0006/"
        },
        {
          "name": "FEDORA-2023-8fed428c5e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
        },
        {
          "name": "FEDORA-2023-a53ab7c969",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-24580",
    "datePublished": "2023-02-15T00:00:00.000Z",
    "dateReserved": "2023-01-27T00:00:00.000Z",
    "dateUpdated": "2025-03-18T19:24:32.509Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2016-2512

Vulnerability from cvelistv5

Published

2016-04-08 15:00

Modified

2024-08-05 23:32

Severity ?

Summary

The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.

References

▼	URL	Tags
	http://rhn.redhat.com/errata/RHSA-2016-0506.html	vendor-advisory, x_refsource_REDHAT
	http://www.securitytracker.com/id/1035152	vdb-entry, x_refsource_SECTRACK
	http://www.securityfocus.com/bid/83879	vdb-entry, x_refsource_BID
	http://rhn.redhat.com/errata/RHSA-2016-0504.html	vendor-advisory, x_refsource_REDHAT
	http://www.debian.org/security/2016/dsa-3544	vendor-advisory, x_refsource_DEBIAN
	http://rhn.redhat.com/errata/RHSA-2016-0502.html	vendor-advisory, x_refsource_REDHAT
	http://www.ubuntu.com/usn/USN-2915-3	vendor-advisory, x_refsource_UBUNTU
	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html	x_refsource_CONFIRM
	http://www.ubuntu.com/usn/USN-2915-2	vendor-advisory, x_refsource_UBUNTU
	http://rhn.redhat.com/errata/RHSA-2016-0505.html	vendor-advisory, x_refsource_REDHAT
	http://www.ubuntu.com/usn/USN-2915-1	vendor-advisory, x_refsource_UBUNTU
	https://www.djangoproject.com/weblog/2016/mar/01/security-releases/	x_refsource_CONFIRM
	https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T23:32:20.686Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:0506",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
          },
          {
            "name": "1035152",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1035152"
          },
          {
            "name": "83879",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/83879"
          },
          {
            "name": "RHSA-2016:0504",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
          },
          {
            "name": "DSA-3544",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3544"
          },
          {
            "name": "RHSA-2016:0502",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
          },
          {
            "name": "USN-2915-3",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2915-3"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
          },
          {
            "name": "USN-2915-2",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2915-2"
          },
          {
            "name": "RHSA-2016:0505",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
          },
          {
            "name": "USN-2915-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2915-1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-03-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-07T09:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "RHSA-2016:0506",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
        },
        {
          "name": "1035152",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1035152"
        },
        {
          "name": "83879",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/83879"
        },
        {
          "name": "RHSA-2016:0504",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
        },
        {
          "name": "DSA-3544",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3544"
        },
        {
          "name": "RHSA-2016:0502",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
        },
        {
          "name": "USN-2915-3",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2915-3"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
        },
        {
          "name": "USN-2915-2",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2915-2"
        },
        {
          "name": "RHSA-2016:0505",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
        },
        {
          "name": "USN-2915-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2915-1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-2512",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:0506",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
            },
            {
              "name": "1035152",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1035152"
            },
            {
              "name": "83879",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/83879"
            },
            {
              "name": "RHSA-2016:0504",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
            },
            {
              "name": "DSA-3544",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3544"
            },
            {
              "name": "RHSA-2016:0502",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
            },
            {
              "name": "USN-2915-3",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2915-3"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
            },
            {
              "name": "USN-2915-2",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2915-2"
            },
            {
              "name": "RHSA-2016:0505",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
            },
            {
              "name": "USN-2915-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2915-1"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
            },
            {
              "name": "https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0",
              "refsource": "CONFIRM",
              "url": "https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2016-2512",
    "datePublished": "2016-04-08T15:00:00",
    "dateReserved": "2016-02-19T00:00:00",
    "dateUpdated": "2024-08-05T23:32:20.686Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-45231

Vulnerability from cvelistv5

Published

2024-10-08 00:00

Modified

2025-03-17 17:30

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/
	https://groups.google.com/forum/#%21forum/django-announce
	https://www.djangoproject.com/weblog/2024/sep/03/security-releases/

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "django",
            "vendor": "djangoproject",
            "versions": [
              {
                "lessThan": "5.1.1",
                "status": "affected",
                "version": "5.1",
                "versionType": "custom"
              },
              {
                "lessThan": "5.0.9",
                "status": "affected",
                "version": "5.0",
                "versionType": "custom"
              },
              {
                "lessThan": "4.2.16",
                "status": "affected",
                "version": "4.2",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-45231",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-30T16:35:34.672082Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-203",
                "description": "CWE-203 Observable Discrepancy",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-17T17:30:18.301Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-08T15:12:36.486Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2024/sep/03/security-releases/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-45231",
    "datePublished": "2024-10-08T00:00:00.000Z",
    "dateReserved": "2024-08-24T00:00:00.000Z",
    "dateUpdated": "2025-03-17T17:30:18.301Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2016-2513

Vulnerability from cvelistv5

Published

2016-04-08 15:00

Modified

2024-08-05 23:32

Severity ?

Summary

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

References

▼	URL	Tags
	http://rhn.redhat.com/errata/RHSA-2016-0506.html	vendor-advisory, x_refsource_REDHAT
	https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1035152	vdb-entry, x_refsource_SECTRACK
	http://rhn.redhat.com/errata/RHSA-2016-0504.html	vendor-advisory, x_refsource_REDHAT
	http://www.debian.org/security/2016/dsa-3544	vendor-advisory, x_refsource_DEBIAN
	http://rhn.redhat.com/errata/RHSA-2016-0502.html	vendor-advisory, x_refsource_REDHAT
	http://www.ubuntu.com/usn/USN-2915-3	vendor-advisory, x_refsource_UBUNTU
	http://www.securityfocus.com/bid/83878	vdb-entry, x_refsource_BID
	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html	x_refsource_CONFIRM
	http://www.ubuntu.com/usn/USN-2915-2	vendor-advisory, x_refsource_UBUNTU
	http://rhn.redhat.com/errata/RHSA-2016-0505.html	vendor-advisory, x_refsource_REDHAT
	http://www.ubuntu.com/usn/USN-2915-1	vendor-advisory, x_refsource_UBUNTU
	https://www.djangoproject.com/weblog/2016/mar/01/security-releases/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T23:32:20.440Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:0506",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab"
          },
          {
            "name": "1035152",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1035152"
          },
          {
            "name": "RHSA-2016:0504",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
          },
          {
            "name": "DSA-3544",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3544"
          },
          {
            "name": "RHSA-2016:0502",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
          },
          {
            "name": "USN-2915-3",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2915-3"
          },
          {
            "name": "83878",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/83878"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
          },
          {
            "name": "USN-2915-2",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2915-2"
          },
          {
            "name": "RHSA-2016:0505",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
          },
          {
            "name": "USN-2915-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2915-1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-03-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-07T09:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "RHSA-2016:0506",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab"
        },
        {
          "name": "1035152",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1035152"
        },
        {
          "name": "RHSA-2016:0504",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
        },
        {
          "name": "DSA-3544",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3544"
        },
        {
          "name": "RHSA-2016:0502",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
        },
        {
          "name": "USN-2915-3",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2915-3"
        },
        {
          "name": "83878",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/83878"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
        },
        {
          "name": "USN-2915-2",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2915-2"
        },
        {
          "name": "RHSA-2016:0505",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
        },
        {
          "name": "USN-2915-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2915-1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-2513",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:0506",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
            },
            {
              "name": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab",
              "refsource": "CONFIRM",
              "url": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab"
            },
            {
              "name": "1035152",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1035152"
            },
            {
              "name": "RHSA-2016:0504",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
            },
            {
              "name": "DSA-3544",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3544"
            },
            {
              "name": "RHSA-2016:0502",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
            },
            {
              "name": "USN-2915-3",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2915-3"
            },
            {
              "name": "83878",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/83878"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
            },
            {
              "name": "USN-2915-2",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2915-2"
            },
            {
              "name": "RHSA-2016:0505",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
            },
            {
              "name": "USN-2915-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2915-1"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2016-2513",
    "datePublished": "2016-04-08T15:00:00",
    "dateReserved": "2016-02-19T00:00:00",
    "dateUpdated": "2024-08-05T23:32:20.440Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2017-7234

Vulnerability from cvelistv5

Published

2017-04-04 17:00

Modified

2024-08-05 15:56

Severity ?

Summary

A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.

References

▼	URL	Tags
	http://www.securitytracker.com/id/1038177	vdb-entry, x_refsource_SECTRACK
	http://www.securityfocus.com/bid/97401	vdb-entry, x_refsource_BID
	http://www.debian.org/security/2017/dsa-3835	vendor-advisory, x_refsource_DEBIAN
	https://www.djangoproject.com/weblog/2017/apr/04/security-releases/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T15:56:36.057Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1038177",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1038177"
          },
          {
            "name": "97401",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/97401"
          },
          {
            "name": "DSA-3835",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2017/dsa-3835"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2017/apr/04/security-releases/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2017-04-04T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-11-03T18:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "1038177",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1038177"
        },
        {
          "name": "97401",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/97401"
        },
        {
          "name": "DSA-3835",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2017/dsa-3835"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2017/apr/04/security-releases/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-7234",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1038177",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1038177"
            },
            {
              "name": "97401",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/97401"
            },
            {
              "name": "DSA-3835",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2017/dsa-3835"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2017/apr/04/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2017/apr/04/security-releases/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-7234",
    "datePublished": "2017-04-04T17:00:00",
    "dateReserved": "2017-03-22T00:00:00",
    "dateUpdated": "2024-08-05T15:56:36.057Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2018-16984

Vulnerability from cvelistv5

Published

2018-10-02 18:00

Modified

2024-08-05 10:39

Severity ?

Summary

An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.

References

▼	URL	Tags
	https://www.djangoproject.com/weblog/2018/oct/01/security-release/	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1041749	vdb-entry, x_refsource_SECTRACK
	https://security.netapp.com/advisory/ntap-20190502-0009/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T10:39:58.059Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2018/oct/01/security-release/"
          },
          {
            "name": "1041749",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1041749"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190502-0009/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-10-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the \"view\" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-05-02T09:06:06",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2018/oct/01/security-release/"
        },
        {
          "name": "1041749",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1041749"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190502-0009/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-16984",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the \"view\" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.djangoproject.com/weblog/2018/oct/01/security-release/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2018/oct/01/security-release/"
            },
            {
              "name": "1041749",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1041749"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190502-0009/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190502-0009/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-16984",
    "datePublished": "2018-10-02T18:00:00",
    "dateReserved": "2018-09-13T00:00:00",
    "dateUpdated": "2024-08-05T10:39:58.059Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2019-12308

Vulnerability from cvelistv5

Published

2019-06-03 16:24

Modified

2024-08-04 23:17

Severity ?

Summary

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2019/06/03/2	mailing-list, x_refsource_MLIST
	https://groups.google.com/forum/#%21topic/django-announce/GEbHU7YoVz8	x_refsource_MISC
	https://docs.djangoproject.com/en/dev/releases/1.11.21/	x_refsource_CONFIRM
	https://docs.djangoproject.com/en/dev/releases/2.1.9/	x_refsource_CONFIRM
	https://docs.djangoproject.com/en/dev/releases/2.2.2/	x_refsource_CONFIRM
	https://www.djangoproject.com/weblog/2019/jun/03/security-releases/	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/108559	vdb-entry, x_refsource_BID
	https://lists.debian.org/debian-lts-announce/2019/06/msg00001.html	mailing-list, x_refsource_MLIST
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G/	vendor-advisory, x_refsource_FEDORA
	https://usn.ubuntu.com/4043-1/	vendor-advisory, x_refsource_UBUNTU
	https://lists.debian.org/debian-lts-announce/2019/07/msg00001.html	mailing-list, x_refsource_MLIST
	https://www.debian.org/security/2019/dsa-4476	vendor-advisory, x_refsource_DEBIAN
	https://seclists.org/bugtraq/2019/Jul/10	mailing-list, x_refsource_BUGTRAQ
	http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html	vendor-advisory, x_refsource_SUSE
	https://security.gentoo.org/glsa/202004-17	vendor-advisory, x_refsource_GENTOO

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:17:39.619Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/dev/releases/security/"
          },
          {
            "name": "[oss-security] 20190603 Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2019/06/03/2"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/django-announce/GEbHU7YoVz8"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/dev/releases/1.11.21/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/dev/releases/2.1.9/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/dev/releases/2.2.2/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2019/jun/03/security-releases/"
          },
          {
            "name": "108559",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/108559"
          },
          {
            "name": "[debian-lts-announce] 20190605 [SECURITY] [DLA 1814-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00001.html"
          },
          {
            "name": "FEDORA-2019-57a4324120",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G/"
          },
          {
            "name": "USN-4043-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4043-1/"
          },
          {
            "name": "[debian-lts-announce] 20190701 [SECURITY] [DLA 1842-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00001.html"
          },
          {
            "name": "DSA-4476",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4476"
          },
          {
            "name": "20190708 [SECURITY] [DSA 4476-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Jul/10"
          },
          {
            "name": "openSUSE-SU-2019:1839",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"
          },
          {
            "name": "openSUSE-SU-2019:1872",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
          },
          {
            "name": "GLSA-202004-17",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202004-17"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-05-01T01:06:15",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "[oss-security] 20190603 Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2019/06/03/2"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21topic/django-announce/GEbHU7YoVz8"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/1.11.21/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/2.1.9/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/2.2.2/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2019/jun/03/security-releases/"
        },
        {
          "name": "108559",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/108559"
        },
        {
          "name": "[debian-lts-announce] 20190605 [SECURITY] [DLA 1814-1] python-django security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00001.html"
        },
        {
          "name": "FEDORA-2019-57a4324120",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G/"
        },
        {
          "name": "USN-4043-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4043-1/"
        },
        {
          "name": "[debian-lts-announce] 20190701 [SECURITY] [DLA 1842-1] python-django security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00001.html"
        },
        {
          "name": "DSA-4476",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4476"
        },
        {
          "name": "20190708 [SECURITY] [DSA 4476-1] python-django security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Jul/10"
        },
        {
          "name": "openSUSE-SU-2019:1839",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"
        },
        {
          "name": "openSUSE-SU-2019:1872",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
        },
        {
          "name": "GLSA-202004-17",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202004-17"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-12308",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.djangoproject.com/en/dev/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "[oss-security] 20190603 Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358)",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2019/06/03/2"
            },
            {
              "name": "https://groups.google.com/forum/#!topic/django-announce/GEbHU7YoVz8",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!topic/django-announce/GEbHU7YoVz8"
            },
            {
              "name": "https://docs.djangoproject.com/en/dev/releases/1.11.21/",
              "refsource": "CONFIRM",
              "url": "https://docs.djangoproject.com/en/dev/releases/1.11.21/"
            },
            {
              "name": "https://docs.djangoproject.com/en/dev/releases/2.1.9/",
              "refsource": "CONFIRM",
              "url": "https://docs.djangoproject.com/en/dev/releases/2.1.9/"
            },
            {
              "name": "https://docs.djangoproject.com/en/dev/releases/2.2.2/",
              "refsource": "CONFIRM",
              "url": "https://docs.djangoproject.com/en/dev/releases/2.2.2/"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2019/jun/03/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2019/jun/03/security-releases/"
            },
            {
              "name": "108559",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/108559"
            },
            {
              "name": "[debian-lts-announce] 20190605 [SECURITY] [DLA 1814-1] python-django security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00001.html"
            },
            {
              "name": "FEDORA-2019-57a4324120",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G/"
            },
            {
              "name": "USN-4043-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4043-1/"
            },
            {
              "name": "[debian-lts-announce] 20190701 [SECURITY] [DLA 1842-1] python-django security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00001.html"
            },
            {
              "name": "DSA-4476",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4476"
            },
            {
              "name": "20190708 [SECURITY] [DSA 4476-1] python-django security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Jul/10"
            },
            {
              "name": "openSUSE-SU-2019:1839",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"
            },
            {
              "name": "openSUSE-SU-2019:1872",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
            },
            {
              "name": "GLSA-202004-17",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202004-17"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-12308",
    "datePublished": "2019-06-03T16:24:31",
    "dateReserved": "2019-05-23T00:00:00",
    "dateUpdated": "2024-08-04T23:17:39.619Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2012-4520

Vulnerability from cvelistv5

Published

2012-11-18 23:00

Modified

2024-08-06 20:42

Severity ?

Summary

The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.

References

▼	URL	Tags
	http://www.openwall.com/lists/oss-security/2012/10/30/4	mailing-list, x_refsource_MLIST
	http://securitytracker.com/id?1027708	vdb-entry, x_refsource_SECTRACK
	https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071	x_refsource_CONFIRM
	http://www.osvdb.org/86493	vdb-entry, x_refsource_OSVDB
	http://secunia.com/advisories/51314	third-party-advisory, x_refsource_SECUNIA
	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145	x_refsource_MISC
	http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html	vendor-advisory, x_refsource_FEDORA
	http://ubuntu.com/usn/usn-1757-1	vendor-advisory, x_refsource_UBUNTU
	https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3	x_refsource_CONFIRM
	http://www.debian.org/security/2013/dsa-2634	vendor-advisory, x_refsource_DEBIAN
	https://www.djangoproject.com/weblog/2012/oct/17/security/	x_refsource_CONFIRM
	http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html	vendor-advisory, x_refsource_FEDORA
	https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e	x_refsource_CONFIRM
	http://secunia.com/advisories/51033	third-party-advisory, x_refsource_SECUNIA
	https://bugzilla.redhat.com/show_bug.cgi?id=865164	x_refsource_MISC
	http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html	vendor-advisory, x_refsource_FEDORA
	http://ubuntu.com/usn/usn-1632-1	vendor-advisory, x_refsource_UBUNTU

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T20:42:53.672Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[oss-security] 20121029 Re: CVE Request: Django",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2012/10/30/4"
          },
          {
            "name": "1027708",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://securitytracker.com/id?1027708"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071"
          },
          {
            "name": "86493",
            "tags": [
              "vdb-entry",
              "x_refsource_OSVDB",
              "x_transferred"
            ],
            "url": "http://www.osvdb.org/86493"
          },
          {
            "name": "51314",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/51314"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145"
          },
          {
            "name": "FEDORA-2012-16440",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html"
          },
          {
            "name": "USN-1757-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://ubuntu.com/usn/usn-1757-1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3"
          },
          {
            "name": "DSA-2634",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2013/dsa-2634"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2012/oct/17/security/"
          },
          {
            "name": "FEDORA-2012-16417",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e"
          },
          {
            "name": "51033",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/51033"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=865164"
          },
          {
            "name": "FEDORA-2012-16406",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html"
          },
          {
            "name": "USN-1632-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://ubuntu.com/usn/usn-1632-1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2012-10-17T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2013-05-04T09:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "[oss-security] 20121029 Re: CVE Request: Django",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2012/10/30/4"
        },
        {
          "name": "1027708",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://securitytracker.com/id?1027708"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071"
        },
        {
          "name": "86493",
          "tags": [
            "vdb-entry",
            "x_refsource_OSVDB"
          ],
          "url": "http://www.osvdb.org/86493"
        },
        {
          "name": "51314",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/51314"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145"
        },
        {
          "name": "FEDORA-2012-16440",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html"
        },
        {
          "name": "USN-1757-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://ubuntu.com/usn/usn-1757-1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3"
        },
        {
          "name": "DSA-2634",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2013/dsa-2634"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2012/oct/17/security/"
        },
        {
          "name": "FEDORA-2012-16417",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e"
        },
        {
          "name": "51033",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/51033"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=865164"
        },
        {
          "name": "FEDORA-2012-16406",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html"
        },
        {
          "name": "USN-1632-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://ubuntu.com/usn/usn-1632-1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2012-4520",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[oss-security] 20121029 Re: CVE Request: Django",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2012/10/30/4"
            },
            {
              "name": "1027708",
              "refsource": "SECTRACK",
              "url": "http://securitytracker.com/id?1027708"
            },
            {
              "name": "https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071",
              "refsource": "CONFIRM",
              "url": "https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071"
            },
            {
              "name": "86493",
              "refsource": "OSVDB",
              "url": "http://www.osvdb.org/86493"
            },
            {
              "name": "51314",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/51314"
            },
            {
              "name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145",
              "refsource": "MISC",
              "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145"
            },
            {
              "name": "FEDORA-2012-16440",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html"
            },
            {
              "name": "USN-1757-1",
              "refsource": "UBUNTU",
              "url": "http://ubuntu.com/usn/usn-1757-1"
            },
            {
              "name": "https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3",
              "refsource": "CONFIRM",
              "url": "https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3"
            },
            {
              "name": "DSA-2634",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2013/dsa-2634"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2012/oct/17/security/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2012/oct/17/security/"
            },
            {
              "name": "FEDORA-2012-16417",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html"
            },
            {
              "name": "https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e",
              "refsource": "CONFIRM",
              "url": "https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e"
            },
            {
              "name": "51033",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/51033"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=865164",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=865164"
            },
            {
              "name": "FEDORA-2012-16406",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html"
            },
            {
              "name": "USN-1632-1",
              "refsource": "UBUNTU",
              "url": "http://ubuntu.com/usn/usn-1632-1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2012-4520",
    "datePublished": "2012-11-18T23:00:00",
    "dateReserved": "2012-08-21T00:00:00",
    "dateUpdated": "2024-08-06T20:42:53.672Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2015-3982

Vulnerability from cvelistv5

Published

2015-06-02 14:00

Modified

2024-08-06 06:04

Severity ?

Summary

The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.

References

▼	URL	Tags
	https://www.djangoproject.com/weblog/2015/may/20/security-release/	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/74960	vdb-entry, x_refsource_BID

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:04:02.239Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2015/may/20/security-release/"
          },
          {
            "name": "74960",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/74960"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-05-20T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-12-02T20:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2015/may/20/security-release/"
        },
        {
          "name": "74960",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/74960"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-3982",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.djangoproject.com/weblog/2015/may/20/security-release/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2015/may/20/security-release/"
            },
            {
              "name": "74960",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/74960"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-3982",
    "datePublished": "2015-06-02T14:00:00",
    "dateReserved": "2015-05-13T00:00:00",
    "dateUpdated": "2024-08-06T06:04:02.239Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2011-4140

Vulnerability from cvelistv5

Published

2011-10-19 10:00

Modified

2024-08-07 00:01

Severity ?

Summary

The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.

References

▼	URL	Tags
	https://hermes.opensuse.org/messages/14700881	vendor-advisory, x_refsource_SUSE
	http://www.debian.org/security/2011/dsa-2332	vendor-advisory, x_refsource_DEBIAN
	https://bugzilla.redhat.com/show_bug.cgi?id=737366	x_refsource_CONFIRM
	http://secunia.com/advisories/46614	third-party-advisory, x_refsource_SECUNIA
	http://openwall.com/lists/oss-security/2011/09/11/1	mailing-list, x_refsource_MLIST
	https://www.djangoproject.com/weblog/2011/sep/10/127/	x_refsource_CONFIRM
	http://openwall.com/lists/oss-security/2011/09/13/2	mailing-list, x_refsource_MLIST
	https://www.djangoproject.com/weblog/2011/sep/09/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T00:01:51.120Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "openSUSE-SU-2012:0653",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "https://hermes.opensuse.org/messages/14700881"
          },
          {
            "name": "DSA-2332",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2011/dsa-2332"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=737366"
          },
          {
            "name": "46614",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/46614"
          },
          {
            "name": "[oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2011/09/11/1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2011/sep/10/127/"
          },
          {
            "name": "[oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2011/09/13/2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2011/sep/09/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2011-09-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-17T19:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "openSUSE-SU-2012:0653",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "https://hermes.opensuse.org/messages/14700881"
        },
        {
          "name": "DSA-2332",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2011/dsa-2332"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=737366"
        },
        {
          "name": "46614",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/46614"
        },
        {
          "name": "[oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2011/09/11/1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2011/sep/10/127/"
        },
        {
          "name": "[oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2011/09/13/2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2011/sep/09/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2011-4140",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "openSUSE-SU-2012:0653",
              "refsource": "SUSE",
              "url": "https://hermes.opensuse.org/messages/14700881"
            },
            {
              "name": "DSA-2332",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2011/dsa-2332"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=737366",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=737366"
            },
            {
              "name": "46614",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/46614"
            },
            {
              "name": "[oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
              "refsource": "MLIST",
              "url": "http://openwall.com/lists/oss-security/2011/09/11/1"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2011/sep/10/127/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2011/sep/10/127/"
            },
            {
              "name": "[oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
              "refsource": "MLIST",
              "url": "http://openwall.com/lists/oss-security/2011/09/13/2"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2011/sep/09/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2011/sep/09/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2011-4140",
    "datePublished": "2011-10-19T10:00:00",
    "dateReserved": "2011-10-19T00:00:00",
    "dateUpdated": "2024-08-07T00:01:51.120Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2015-2241

Vulnerability from cvelistv5

Published

2015-03-12 14:00

Modified

2024-08-06 05:10

Severity ?

Summary

Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/73095	vdb-entry, x_refsource_BID
	https://code.djangoproject.com/ticket/24461	x_refsource_CONFIRM
	https://www.djangoproject.com/weblog/2015/mar/09/security-releases/	x_refsource_CONFIRM
	http://www.mandriva.com/security/advisories?name=MDVSA-2015:109	vendor-advisory, x_refsource_MANDRIVA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T05:10:15.804Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "73095",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/73095"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://code.djangoproject.com/ticket/24461"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2015/mar/09/security-releases/"
          },
          {
            "name": "MDVSA-2015:109",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-03-07T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-11-30T18:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "73095",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/73095"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://code.djangoproject.com/ticket/24461"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2015/mar/09/security-releases/"
        },
        {
          "name": "MDVSA-2015:109",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-2241",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "73095",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/73095"
            },
            {
              "name": "https://code.djangoproject.com/ticket/24461",
              "refsource": "CONFIRM",
              "url": "https://code.djangoproject.com/ticket/24461"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2015/mar/09/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2015/mar/09/security-releases/"
            },
            {
              "name": "MDVSA-2015:109",
              "refsource": "MANDRIVA",
              "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-2241",
    "datePublished": "2015-03-12T14:00:00",
    "dateReserved": "2015-03-09T00:00:00",
    "dateUpdated": "2024-08-06T05:10:15.804Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2015-2317

Vulnerability from cvelistv5

Published

2015-03-25 14:00

Modified

2024-08-06 05:10

Severity ?

Summary

The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.

References

▼	URL	Tags
	http://ubuntu.com/usn/usn-2539-1	vendor-advisory, x_refsource_UBUNTU
	http://www.securityfocus.com/bid/73319	vdb-entry, x_refsource_BID
	http://www.debian.org/security/2015/dsa-3204	vendor-advisory, x_refsource_DEBIAN
	http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.html	vendor-advisory, x_refsource_FEDORA
	http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html	vendor-advisory, x_refsource_SUSE
	http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html	x_refsource_CONFIRM
	http://www.mandriva.com/security/advisories?name=MDVSA-2015:195	vendor-advisory, x_refsource_MANDRIVA
	http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html	vendor-advisory, x_refsource_SUSE
	http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160263.html	vendor-advisory, x_refsource_FEDORA
	https://www.djangoproject.com/weblog/2015/mar/18/security-releases/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T05:10:16.267Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-2539-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://ubuntu.com/usn/usn-2539-1"
          },
          {
            "name": "73319",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/73319"
          },
          {
            "name": "DSA-3204",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2015/dsa-3204"
          },
          {
            "name": "FEDORA-2015-5766",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.html"
          },
          {
            "name": "openSUSE-SU-2015:1598",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html"
          },
          {
            "name": "MDVSA-2015:195",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:195"
          },
          {
            "name": "openSUSE-SU-2015:0643",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
          },
          {
            "name": "FEDORA-2015-9604",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160263.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2015/mar/18/security-releases/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-03-18T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \\x08javascript: URL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-12-20T16:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "USN-2539-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://ubuntu.com/usn/usn-2539-1"
        },
        {
          "name": "73319",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/73319"
        },
        {
          "name": "DSA-3204",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2015/dsa-3204"
        },
        {
          "name": "FEDORA-2015-5766",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.html"
        },
        {
          "name": "openSUSE-SU-2015:1598",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html"
        },
        {
          "name": "MDVSA-2015:195",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:195"
        },
        {
          "name": "openSUSE-SU-2015:0643",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
        },
        {
          "name": "FEDORA-2015-9604",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160263.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2015/mar/18/security-releases/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-2317",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \\x08javascript: URL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-2539-1",
              "refsource": "UBUNTU",
              "url": "http://ubuntu.com/usn/usn-2539-1"
            },
            {
              "name": "73319",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/73319"
            },
            {
              "name": "DSA-3204",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2015/dsa-3204"
            },
            {
              "name": "FEDORA-2015-5766",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.html"
            },
            {
              "name": "openSUSE-SU-2015:1598",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html"
            },
            {
              "name": "MDVSA-2015:195",
              "refsource": "MANDRIVA",
              "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:195"
            },
            {
              "name": "openSUSE-SU-2015:0643",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
            },
            {
              "name": "FEDORA-2015-9604",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160263.html"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2015/mar/18/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2015/mar/18/security-releases/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-2317",
    "datePublished": "2015-03-25T14:00:00",
    "dateReserved": "2015-03-17T00:00:00",
    "dateUpdated": "2024-08-06T05:10:16.267Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-35042

Vulnerability from cvelistv5

Published

2021-07-02 09:54

Modified

2024-08-04 00:33

Severity ?

Summary

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce	x_refsource_MISC
	https://docs.djangoproject.com/en/3.2/releases/security/	x_refsource_MISC
	https://www.openwall.com/lists/oss-security/2021/07/02/2	x_refsource_CONFIRM
	https://www.djangoproject.com/weblog/2021/jul/01/security-releases/	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-20210805-0008/	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SS6NJTBYWOX6J7G4U3LUOILARJKWPQ5Y/	vendor-advisory, x_refsource_FEDORA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T00:33:49.895Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/3.2/releases/security/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2021/07/02/2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2021/jul/01/security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210805-0008/"
          },
          {
            "name": "FEDORA-2021-78e501d62a",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SS6NJTBYWOX6J7G4U3LUOILARJKWPQ5Y/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-08-18T02:06:16",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/3.2/releases/security/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.openwall.com/lists/oss-security/2021/07/02/2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2021/jul/01/security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210805-0008/"
        },
        {
          "name": "FEDORA-2021-78e501d62a",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SS6NJTBYWOX6J7G4U3LUOILARJKWPQ5Y/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-35042",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/forum/#!forum/django-announce",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!forum/django-announce"
            },
            {
              "name": "https://docs.djangoproject.com/en/3.2/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/3.2/releases/security/"
            },
            {
              "name": "https://www.openwall.com/lists/oss-security/2021/07/02/2",
              "refsource": "CONFIRM",
              "url": "https://www.openwall.com/lists/oss-security/2021/07/02/2"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2021/jul/01/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2021/jul/01/security-releases/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210805-0008/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210805-0008/"
            },
            {
              "name": "FEDORA-2021-78e501d62a",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SS6NJTBYWOX6J7G4U3LUOILARJKWPQ5Y/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-35042",
    "datePublished": "2021-07-02T09:54:11",
    "dateReserved": "2021-06-18T00:00:00",
    "dateUpdated": "2024-08-04T00:33:49.895Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-28347

Vulnerability from cvelistv5

Published

2022-04-12 00:00

Modified

2025-02-13 16:32

Severity ?

Summary

A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.0/releases/security/
	http://www.openwall.com/lists/oss-security/2022/04/11/1
	https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
	https://www.debian.org/security/2022/dsa-5254	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/	vendor-advisory

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:56:14.933Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/04/11/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/apr/11/security-releases/"
          },
          {
            "name": "DSA-5254",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5254"
          },
          {
            "name": "FEDORA-2023-8fed428c5e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
          },
          {
            "name": "FEDORA-2023-a53ab7c969",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-28T03:06:22.672Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2022/04/11/1"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2022/apr/11/security-releases/"
        },
        {
          "name": "DSA-5254",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5254"
        },
        {
          "name": "FEDORA-2023-8fed428c5e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
        },
        {
          "name": "FEDORA-2023-a53ab7c969",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-28347",
    "datePublished": "2022-04-12T00:00:00.000Z",
    "dateReserved": "2022-04-02T00:00:00.000Z",
    "dateUpdated": "2025-02-13T16:32:34.174Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2011-4138

Vulnerability from cvelistv5

Published

2011-10-19 10:00

Modified

2024-08-07 00:01

Severity ?

Summary

The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.

References

▼	URL	Tags
	https://hermes.opensuse.org/messages/14700881	vendor-advisory, x_refsource_SUSE
	http://www.debian.org/security/2011/dsa-2332	vendor-advisory, x_refsource_DEBIAN
	https://bugzilla.redhat.com/show_bug.cgi?id=737366	x_refsource_CONFIRM
	http://secunia.com/advisories/46614	third-party-advisory, x_refsource_SECUNIA
	http://openwall.com/lists/oss-security/2011/09/11/1	mailing-list, x_refsource_MLIST
	https://www.djangoproject.com/weblog/2011/sep/10/127/	x_refsource_CONFIRM
	http://openwall.com/lists/oss-security/2011/09/13/2	mailing-list, x_refsource_MLIST
	https://www.djangoproject.com/weblog/2011/sep/09/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T00:01:51.120Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "openSUSE-SU-2012:0653",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "https://hermes.opensuse.org/messages/14700881"
          },
          {
            "name": "DSA-2332",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2011/dsa-2332"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=737366"
          },
          {
            "name": "46614",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/46614"
          },
          {
            "name": "[oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2011/09/11/1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2011/sep/10/127/"
          },
          {
            "name": "[oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2011/09/13/2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2011/sep/09/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2011-09-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL\u0027s validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-17T19:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "openSUSE-SU-2012:0653",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "https://hermes.opensuse.org/messages/14700881"
        },
        {
          "name": "DSA-2332",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2011/dsa-2332"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=737366"
        },
        {
          "name": "46614",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/46614"
        },
        {
          "name": "[oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2011/09/11/1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2011/sep/10/127/"
        },
        {
          "name": "[oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2011/09/13/2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2011/sep/09/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2011-4138",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL\u0027s validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "openSUSE-SU-2012:0653",
              "refsource": "SUSE",
              "url": "https://hermes.opensuse.org/messages/14700881"
            },
            {
              "name": "DSA-2332",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2011/dsa-2332"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=737366",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=737366"
            },
            {
              "name": "46614",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/46614"
            },
            {
              "name": "[oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
              "refsource": "MLIST",
              "url": "http://openwall.com/lists/oss-security/2011/09/11/1"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2011/sep/10/127/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2011/sep/10/127/"
            },
            {
              "name": "[oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
              "refsource": "MLIST",
              "url": "http://openwall.com/lists/oss-security/2011/09/13/2"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2011/sep/09/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2011/sep/09/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2011-4138",
    "datePublished": "2011-10-19T10:00:00",
    "dateReserved": "2011-10-19T00:00:00",
    "dateUpdated": "2024-08-07T00:01:51.120Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2015-0222

Vulnerability from cvelistv5

Published

2015-01-16 16:00

Modified

2024-08-06 04:03

Severity ?

Summary

ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.

References

▼	URL	Tags
	http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html	vendor-advisory, x_refsource_FEDORA
	http://ubuntu.com/usn/usn-2469-1	vendor-advisory, x_refsource_UBUNTU
	http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148696.html	vendor-advisory, x_refsource_FEDORA
	http://secunia.com/advisories/62285	third-party-advisory, x_refsource_SECUNIA
	http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html	vendor-advisory, x_refsource_SUSE
	https://www.djangoproject.com/weblog/2015/jan/13/security/	x_refsource_CONFIRM
	http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html	vendor-advisory, x_refsource_SUSE
	http://secunia.com/advisories/62309	third-party-advisory, x_refsource_SECUNIA
	http://www.mandriva.com/security/advisories?name=MDVSA-2015:109	vendor-advisory, x_refsource_MANDRIVA
	http://advisories.mageia.org/MGASA-2015-0026.html	x_refsource_CONFIRM
	http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html	vendor-advisory, x_refsource_FEDORA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T04:03:10.434Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "FEDORA-2015-0804",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
          },
          {
            "name": "USN-2469-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://ubuntu.com/usn/usn-2469-1"
          },
          {
            "name": "FEDORA-2015-0790",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148696.html"
          },
          {
            "name": "62285",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/62285"
          },
          {
            "name": "openSUSE-SU-2015:1598",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
          },
          {
            "name": "openSUSE-SU-2015:0643",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
          },
          {
            "name": "62309",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/62309"
          },
          {
            "name": "MDVSA-2015:109",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
          },
          {
            "name": "FEDORA-2015-0714",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-01-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-12-20T16:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "FEDORA-2015-0804",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
        },
        {
          "name": "USN-2469-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://ubuntu.com/usn/usn-2469-1"
        },
        {
          "name": "FEDORA-2015-0790",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148696.html"
        },
        {
          "name": "62285",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/62285"
        },
        {
          "name": "openSUSE-SU-2015:1598",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
        },
        {
          "name": "openSUSE-SU-2015:0643",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
        },
        {
          "name": "62309",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/62309"
        },
        {
          "name": "MDVSA-2015:109",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
        },
        {
          "name": "FEDORA-2015-0714",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-0222",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "FEDORA-2015-0804",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
            },
            {
              "name": "USN-2469-1",
              "refsource": "UBUNTU",
              "url": "http://ubuntu.com/usn/usn-2469-1"
            },
            {
              "name": "FEDORA-2015-0790",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148696.html"
            },
            {
              "name": "62285",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/62285"
            },
            {
              "name": "openSUSE-SU-2015:1598",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2015/jan/13/security/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
            },
            {
              "name": "openSUSE-SU-2015:0643",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
            },
            {
              "name": "62309",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/62309"
            },
            {
              "name": "MDVSA-2015:109",
              "refsource": "MANDRIVA",
              "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
            },
            {
              "name": "http://advisories.mageia.org/MGASA-2015-0026.html",
              "refsource": "CONFIRM",
              "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
            },
            {
              "name": "FEDORA-2015-0714",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-0222",
    "datePublished": "2015-01-16T16:00:00",
    "dateReserved": "2014-11-18T00:00:00",
    "dateUpdated": "2024-08-06T04:03:10.434Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-41164

Vulnerability from cvelistv5

Published

2023-11-03 00:00

Modified

2024-08-02 18:54

Severity ?

Summary

In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.2/releases/security/
	https://www.djangoproject.com/weblog/2023/sep/04/security-releases/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/	vendor-advisory
	https://security.netapp.com/advisory/ntap-20231214-0002/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/	vendor-advisory

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:54:03.498Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.2/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2023/sep/04/security-releases/"
          },
          {
            "name": "FEDORA-2023-a67af7d8f4",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20231214-0002/"
          },
          {
            "name": "FEDORA-2024-84fbbbb914",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-20T03:06:02.315105",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.2/releases/security/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2023/sep/04/security-releases/"
        },
        {
          "name": "FEDORA-2023-a67af7d8f4",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20231214-0002/"
        },
        {
          "name": "FEDORA-2024-84fbbbb914",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-41164",
    "datePublished": "2023-11-03T00:00:00",
    "dateReserved": "2023-08-24T00:00:00",
    "dateUpdated": "2024-08-02T18:54:03.498Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2020-13254

Vulnerability from cvelistv5

Published

2020-06-03 13:11

Modified

2024-08-04 12:11

Severity ?

Summary

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.

References

▼	URL	Tags
	https://usn.ubuntu.com/4381-1/	vendor-advisory, x_refsource_UBUNTU
	https://usn.ubuntu.com/4381-2/	vendor-advisory, x_refsource_UBUNTU
	https://lists.debian.org/debian-lts-announce/2020/06/msg00016.html	mailing-list, x_refsource_MLIST
	https://www.debian.org/security/2020/dsa-4705	vendor-advisory, x_refsource_DEBIAN
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/	vendor-advisory, x_refsource_FEDORA
	https://www.oracle.com/security-alerts/cpujan2021.html	x_refsource_MISC
	https://docs.djangoproject.com/en/3.0/releases/security/	x_refsource_MISC
	https://groups.google.com/d/msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ	x_refsource_MISC
	https://www.djangoproject.com/weblog/2020/jun/03/security-releases/	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-20200611-0002/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T12:11:19.484Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-4381-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4381-1/"
          },
          {
            "name": "USN-4381-2",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4381-2/"
          },
          {
            "name": "[debian-lts-announce] 20200612 [SECURITY] [DLA 2233-2] python-django regression update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00016.html"
          },
          {
            "name": "DSA-4705",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4705"
          },
          {
            "name": "FEDORA-2020-c2639662af",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/3.0/releases/security/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/d/msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2020/jun/03/security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200611-0002/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-20T14:42:06",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "USN-4381-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4381-1/"
        },
        {
          "name": "USN-4381-2",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4381-2/"
        },
        {
          "name": "[debian-lts-announce] 20200612 [SECURITY] [DLA 2233-2] python-django regression update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00016.html"
        },
        {
          "name": "DSA-4705",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4705"
        },
        {
          "name": "FEDORA-2020-c2639662af",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/3.0/releases/security/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/d/msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2020/jun/03/security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20200611-0002/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-13254",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-4381-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4381-1/"
            },
            {
              "name": "USN-4381-2",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4381-2/"
            },
            {
              "name": "[debian-lts-announce] 20200612 [SECURITY] [DLA 2233-2] python-django regression update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00016.html"
            },
            {
              "name": "DSA-4705",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4705"
            },
            {
              "name": "FEDORA-2020-c2639662af",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            },
            {
              "name": "https://docs.djangoproject.com/en/3.0/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/3.0/releases/security/"
            },
            {
              "name": "https://groups.google.com/d/msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ",
              "refsource": "MISC",
              "url": "https://groups.google.com/d/msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2020/jun/03/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2020/jun/03/security-releases/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20200611-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20200611-0002/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-13254",
    "datePublished": "2020-06-03T13:11:57",
    "dateReserved": "2020-05-21T00:00:00",
    "dateUpdated": "2024-08-04T12:11:19.484Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-33203

Vulnerability from cvelistv5

Published

2021-06-08 17:52

Modified

2024-08-03 23:42

Severity ?

Summary

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce	x_refsource_MISC
	https://docs.djangoproject.com/en/3.2/releases/security/	x_refsource_MISC
	https://www.djangoproject.com/weblog/2021/jun/02/security-releases/	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-20210727-0004/	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/	vendor-advisory, x_refsource_FEDORA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:42:20.290Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/3.2/releases/security/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2021/jun/02/security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210727-0004/"
          },
          {
            "name": "FEDORA-2022-e7fd530688",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-11T02:06:41",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/3.2/releases/security/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2021/jun/02/security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210727-0004/"
        },
        {
          "name": "FEDORA-2022-e7fd530688",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-33203",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/forum/#!forum/django-announce",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!forum/django-announce"
            },
            {
              "name": "https://docs.djangoproject.com/en/3.2/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/3.2/releases/security/"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2021/jun/02/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2021/jun/02/security-releases/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210727-0004/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210727-0004/"
            },
            {
              "name": "FEDORA-2022-e7fd530688",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-33203",
    "datePublished": "2021-06-08T17:52:20",
    "dateReserved": "2021-05-19T00:00:00",
    "dateUpdated": "2024-08-03T23:42:20.290Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2019-3498

Vulnerability from cvelistv5

Published

2019-01-09 22:00

Modified

2024-08-04 19:12

Severity ?

Summary

In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21topic/django-announce/VYU7xQQTEPQ	x_refsource_MISC
	https://docs.djangoproject.com/en/dev/releases/security/	x_refsource_MISC
	https://usn.ubuntu.com/3851-1/	vendor-advisory, x_refsource_UBUNTU
	http://www.securityfocus.com/bid/106453	vdb-entry, x_refsource_BID
	https://lists.debian.org/debian-lts-announce/2019/01/msg00005.html	mailing-list, x_refsource_MLIST
	https://www.djangoproject.com/weblog/2019/jan/04/security-releases/	x_refsource_MISC
	https://www.debian.org/security/2019/dsa-4363	vendor-advisory, x_refsource_DEBIAN
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/	vendor-advisory, x_refsource_FEDORA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:12:09.465Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/django-announce/VYU7xQQTEPQ"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/dev/releases/security/"
          },
          {
            "name": "USN-3851-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3851-1/"
          },
          {
            "name": "106453",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/106453"
          },
          {
            "name": "[debian-lts-announce] 20190106 [SECURITY] [DLA 1629-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00005.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2019/jan/04/security-releases/"
          },
          {
            "name": "DSA-4363",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4363"
          },
          {
            "name": "FEDORA-2019-5ad2149e99",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2019-01-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-03-20T22:06:03",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21topic/django-announce/VYU7xQQTEPQ"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "USN-3851-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3851-1/"
        },
        {
          "name": "106453",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/106453"
        },
        {
          "name": "[debian-lts-announce] 20190106 [SECURITY] [DLA 1629-1] python-django security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00005.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.djangoproject.com/weblog/2019/jan/04/security-releases/"
        },
        {
          "name": "DSA-4363",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4363"
        },
        {
          "name": "FEDORA-2019-5ad2149e99",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-3498",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/forum/#!topic/django-announce/VYU7xQQTEPQ",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!topic/django-announce/VYU7xQQTEPQ"
            },
            {
              "name": "https://docs.djangoproject.com/en/dev/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "USN-3851-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3851-1/"
            },
            {
              "name": "106453",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/106453"
            },
            {
              "name": "[debian-lts-announce] 20190106 [SECURITY] [DLA 1629-1] python-django security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00005.html"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2019/jan/04/security-releases/",
              "refsource": "MISC",
              "url": "https://www.djangoproject.com/weblog/2019/jan/04/security-releases/"
            },
            {
              "name": "DSA-4363",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4363"
            },
            {
              "name": "FEDORA-2019-5ad2149e99",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-3498",
    "datePublished": "2019-01-09T22:00:00",
    "dateReserved": "2019-01-01T00:00:00",
    "dateUpdated": "2024-08-04T19:12:09.465Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2017-7233

Vulnerability from cvelistv5

Published

2017-04-04 17:00

Modified

2024-08-05 15:56

Severity ?

Summary

Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.

References

▼	URL	Tags
	http://www.securitytracker.com/id/1038177	vdb-entry, x_refsource_SECTRACK
	https://access.redhat.com/errata/RHSA-2017:1596	vendor-advisory, x_refsource_REDHAT
	http://www.securityfocus.com/bid/97406	vdb-entry, x_refsource_BID
	https://access.redhat.com/errata/RHSA-2017:3093	vendor-advisory, x_refsource_REDHAT
	http://www.debian.org/security/2017/dsa-3835	vendor-advisory, x_refsource_DEBIAN
	https://access.redhat.com/errata/RHSA-2017:1445	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2017:1451	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2018:2927	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2017:1470	vendor-advisory, x_refsource_REDHAT
	https://www.djangoproject.com/weblog/2017/apr/04/security-releases/	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2017:1462	vendor-advisory, x_refsource_REDHAT

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T15:56:36.158Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1038177",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1038177"
          },
          {
            "name": "RHSA-2017:1596",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:1596"
          },
          {
            "name": "97406",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/97406"
          },
          {
            "name": "RHSA-2017:3093",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:3093"
          },
          {
            "name": "DSA-3835",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2017/dsa-3835"
          },
          {
            "name": "RHSA-2017:1445",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:1445"
          },
          {
            "name": "RHSA-2017:1451",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:1451"
          },
          {
            "name": "RHSA-2018:2927",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2927"
          },
          {
            "name": "RHSA-2017:1470",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:1470"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2017/apr/04/security-releases/"
          },
          {
            "name": "RHSA-2017:1462",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:1462"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2017-04-04T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs \"safe\" when they shouldn\u0027t be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-17T09:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "1038177",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1038177"
        },
        {
          "name": "RHSA-2017:1596",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:1596"
        },
        {
          "name": "97406",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/97406"
        },
        {
          "name": "RHSA-2017:3093",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:3093"
        },
        {
          "name": "DSA-3835",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2017/dsa-3835"
        },
        {
          "name": "RHSA-2017:1445",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:1445"
        },
        {
          "name": "RHSA-2017:1451",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:1451"
        },
        {
          "name": "RHSA-2018:2927",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2927"
        },
        {
          "name": "RHSA-2017:1470",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:1470"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2017/apr/04/security-releases/"
        },
        {
          "name": "RHSA-2017:1462",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:1462"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-7233",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs \"safe\" when they shouldn\u0027t be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1038177",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1038177"
            },
            {
              "name": "RHSA-2017:1596",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2017:1596"
            },
            {
              "name": "97406",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/97406"
            },
            {
              "name": "RHSA-2017:3093",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2017:3093"
            },
            {
              "name": "DSA-3835",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2017/dsa-3835"
            },
            {
              "name": "RHSA-2017:1445",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2017:1445"
            },
            {
              "name": "RHSA-2017:1451",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2017:1451"
            },
            {
              "name": "RHSA-2018:2927",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            },
            {
              "name": "RHSA-2017:1470",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2017:1470"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2017/apr/04/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2017/apr/04/security-releases/"
            },
            {
              "name": "RHSA-2017:1462",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2017:1462"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-7233",
    "datePublished": "2017-04-04T17:00:00",
    "dateReserved": "2017-03-22T00:00:00",
    "dateUpdated": "2024-08-05T15:56:36.158Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2019-14234

Vulnerability from cvelistv5

Published

2019-08-09 12:16

Modified

2024-08-05 00:12

Severity ?

Summary

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/	x_refsource_MISC
	https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs	x_refsource_MISC
	https://www.djangoproject.com/weblog/2019/aug/01/security-releases/	x_refsource_CONFIRM
	https://seclists.org/bugtraq/2019/Aug/15	mailing-list, x_refsource_BUGTRAQ
	https://www.debian.org/security/2019/dsa-4498	vendor-advisory, x_refsource_DEBIAN
	http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html	vendor-advisory, x_refsource_SUSE
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/	vendor-advisory, x_refsource_FEDORA
	https://security.netapp.com/advisory/ntap-20190828-0002/	x_refsource_CONFIRM
	https://security.gentoo.org/glsa/202004-17	vendor-advisory, x_refsource_GENTOO

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:12:42.480Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/dev/releases/security/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/"
          },
          {
            "name": "20190812 [SECURITY] [DSA 4498-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Aug/15"
          },
          {
            "name": "DSA-4498",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4498"
          },
          {
            "name": "openSUSE-SU-2019:1872",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
          },
          {
            "name": "FEDORA-2019-647f74ce51",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190828-0002/"
          },
          {
            "name": "GLSA-202004-17",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202004-17"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of \"OR 1=1\" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-05-01T01:06:11",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/"
        },
        {
          "name": "20190812 [SECURITY] [DSA 4498-1] python-django security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Aug/15"
        },
        {
          "name": "DSA-4498",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4498"
        },
        {
          "name": "openSUSE-SU-2019:1872",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
        },
        {
          "name": "FEDORA-2019-647f74ce51",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190828-0002/"
        },
        {
          "name": "GLSA-202004-17",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202004-17"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-14234",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of \"OR 1=1\" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.djangoproject.com/en/dev/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/"
            },
            {
              "name": "20190812 [SECURITY] [DSA 4498-1] python-django security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Aug/15"
            },
            {
              "name": "DSA-4498",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4498"
            },
            {
              "name": "openSUSE-SU-2019:1872",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
            },
            {
              "name": "FEDORA-2019-647f74ce51",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190828-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190828-0002/"
            },
            {
              "name": "GLSA-202004-17",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202004-17"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-14234",
    "datePublished": "2019-08-09T12:16:44",
    "dateReserved": "2019-07-22T00:00:00",
    "dateUpdated": "2024-08-05T00:12:42.480Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2015-0219

Vulnerability from cvelistv5

Published

2015-01-16 16:00

Modified

2024-08-06 04:03

Severity ?

Summary

Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.

References

▼	URL	Tags
	http://secunia.com/advisories/62718	third-party-advisory, x_refsource_SECUNIA
	http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html	vendor-advisory, x_refsource_FEDORA
	http://www.mandriva.com/security/advisories?name=MDVSA-2015:036	vendor-advisory, x_refsource_MANDRIVA
	http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148696.html	vendor-advisory, x_refsource_FEDORA
	http://secunia.com/advisories/62285	third-party-advisory, x_refsource_SECUNIA
	http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html	vendor-advisory, x_refsource_SUSE
	https://www.djangoproject.com/weblog/2015/jan/13/security/	x_refsource_CONFIRM
	http://www.ubuntu.com/usn/USN-2469-1	vendor-advisory, x_refsource_UBUNTU
	http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html	vendor-advisory, x_refsource_SUSE
	http://secunia.com/advisories/62309	third-party-advisory, x_refsource_SECUNIA
	http://www.mandriva.com/security/advisories?name=MDVSA-2015:109	vendor-advisory, x_refsource_MANDRIVA
	http://advisories.mageia.org/MGASA-2015-0026.html	x_refsource_CONFIRM
	http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html	vendor-advisory, x_refsource_FEDORA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T04:03:10.188Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "62718",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/62718"
          },
          {
            "name": "FEDORA-2015-0804",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
          },
          {
            "name": "MDVSA-2015:036",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:036"
          },
          {
            "name": "FEDORA-2015-0790",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148696.html"
          },
          {
            "name": "62285",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/62285"
          },
          {
            "name": "openSUSE-SU-2015:1598",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
          },
          {
            "name": "USN-2469-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2469-1"
          },
          {
            "name": "openSUSE-SU-2015:0643",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
          },
          {
            "name": "62309",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/62309"
          },
          {
            "name": "MDVSA-2015:109",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
          },
          {
            "name": "FEDORA-2015-0714",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-01-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-12-20T16:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "62718",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/62718"
        },
        {
          "name": "FEDORA-2015-0804",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
        },
        {
          "name": "MDVSA-2015:036",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:036"
        },
        {
          "name": "FEDORA-2015-0790",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148696.html"
        },
        {
          "name": "62285",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/62285"
        },
        {
          "name": "openSUSE-SU-2015:1598",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
        },
        {
          "name": "USN-2469-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2469-1"
        },
        {
          "name": "openSUSE-SU-2015:0643",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
        },
        {
          "name": "62309",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/62309"
        },
        {
          "name": "MDVSA-2015:109",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
        },
        {
          "name": "FEDORA-2015-0714",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-0219",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "62718",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/62718"
            },
            {
              "name": "FEDORA-2015-0804",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
            },
            {
              "name": "MDVSA-2015:036",
              "refsource": "MANDRIVA",
              "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:036"
            },
            {
              "name": "FEDORA-2015-0790",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148696.html"
            },
            {
              "name": "62285",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/62285"
            },
            {
              "name": "openSUSE-SU-2015:1598",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2015/jan/13/security/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
            },
            {
              "name": "USN-2469-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2469-1"
            },
            {
              "name": "openSUSE-SU-2015:0643",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
            },
            {
              "name": "62309",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/62309"
            },
            {
              "name": "MDVSA-2015:109",
              "refsource": "MANDRIVA",
              "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
            },
            {
              "name": "http://advisories.mageia.org/MGASA-2015-0026.html",
              "refsource": "CONFIRM",
              "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
            },
            {
              "name": "FEDORA-2015-0714",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-0219",
    "datePublished": "2015-01-16T16:00:00",
    "dateReserved": "2014-11-18T00:00:00",
    "dateUpdated": "2024-08-06T04:03:10.188Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2016-9013

Vulnerability from cvelistv5

Published

2016-12-09 20:00

Modified

2024-08-06 02:35

Severity ?

Summary

Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.

References

▼	URL	Tags
	https://www.djangoproject.com/weblog/2016/nov/01/security-releases/	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/	vendor-advisory, x_refsource_FEDORA
	http://www.debian.org/security/2017/dsa-3835	vendor-advisory, x_refsource_DEBIAN
	http://www.ubuntu.com/usn/USN-3115-1	vendor-advisory, x_refsource_UBUNTU
	http://www.securityfocus.com/bid/94069	vdb-entry, x_refsource_BID
	http://www.securitytracker.com/id/1037159	vdb-entry, x_refsource_SECTRACK
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/	vendor-advisory, x_refsource_FEDORA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T02:35:02.828Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2016/nov/01/security-releases/"
          },
          {
            "name": "FEDORA-2016-d4571bf555",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/"
          },
          {
            "name": "DSA-3835",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2017/dsa-3835"
          },
          {
            "name": "USN-3115-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-3115-1"
          },
          {
            "name": "94069",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/94069"
          },
          {
            "name": "1037159",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1037159"
          },
          {
            "name": "FEDORA-2016-3eb5a55123",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-11-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-11-03T18:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2016/nov/01/security-releases/"
        },
        {
          "name": "FEDORA-2016-d4571bf555",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/"
        },
        {
          "name": "DSA-3835",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2017/dsa-3835"
        },
        {
          "name": "USN-3115-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-3115-1"
        },
        {
          "name": "94069",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/94069"
        },
        {
          "name": "1037159",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1037159"
        },
        {
          "name": "FEDORA-2016-3eb5a55123",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-9013",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.djangoproject.com/weblog/2016/nov/01/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2016/nov/01/security-releases/"
            },
            {
              "name": "FEDORA-2016-d4571bf555",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/"
            },
            {
              "name": "DSA-3835",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2017/dsa-3835"
            },
            {
              "name": "USN-3115-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-3115-1"
            },
            {
              "name": "94069",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/94069"
            },
            {
              "name": "1037159",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1037159"
            },
            {
              "name": "FEDORA-2016-3eb5a55123",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2016-9013",
    "datePublished": "2016-12-09T20:00:00",
    "dateReserved": "2016-10-25T00:00:00",
    "dateUpdated": "2024-08-06T02:35:02.828Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2020-13596

Vulnerability from cvelistv5

Published

2020-06-03 13:13

Modified

2024-08-04 12:25

Severity ?

Summary

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.

References

▼	URL	Tags
	https://usn.ubuntu.com/4381-1/	vendor-advisory, x_refsource_UBUNTU
	https://usn.ubuntu.com/4381-2/	vendor-advisory, x_refsource_UBUNTU
	https://www.debian.org/security/2020/dsa-4705	vendor-advisory, x_refsource_DEBIAN
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/	vendor-advisory, x_refsource_FEDORA
	https://www.oracle.com/security-alerts/cpujan2021.html	x_refsource_MISC
	https://docs.djangoproject.com/en/3.0/releases/security/	x_refsource_MISC
	https://www.djangoproject.com/weblog/2020/jun/03/security-releases/	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-20200611-0002/	x_refsource_CONFIRM
	https://groups.google.com/forum/#%21msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ	x_refsource_MISC

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T12:25:16.180Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-4381-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4381-1/"
          },
          {
            "name": "USN-4381-2",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4381-2/"
          },
          {
            "name": "DSA-4705",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4705"
          },
          {
            "name": "FEDORA-2020-c2639662af",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/3.0/releases/security/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2020/jun/03/security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200611-0002/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-20T14:42:06",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "USN-4381-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4381-1/"
        },
        {
          "name": "USN-4381-2",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4381-2/"
        },
        {
          "name": "DSA-4705",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4705"
        },
        {
          "name": "FEDORA-2020-c2639662af",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/3.0/releases/security/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2020/jun/03/security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20200611-0002/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-13596",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-4381-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4381-1/"
            },
            {
              "name": "USN-4381-2",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4381-2/"
            },
            {
              "name": "DSA-4705",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4705"
            },
            {
              "name": "FEDORA-2020-c2639662af",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            },
            {
              "name": "https://docs.djangoproject.com/en/3.0/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/3.0/releases/security/"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2020/jun/03/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2020/jun/03/security-releases/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20200611-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20200611-0002/"
            },
            {
              "name": "https://groups.google.com/forum/#!msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-13596",
    "datePublished": "2020-06-03T13:13:55",
    "dateReserved": "2020-05-26T00:00:00",
    "dateUpdated": "2024-08-04T12:25:16.180Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2010-4534

Vulnerability from cvelistv5

Published

2011-01-10 19:18

Modified

2024-08-07 03:51

Severity ?

Summary

The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/45562	vdb-entry, x_refsource_BID
	http://ngenuity-is.com/advisories/2010/dec/22/information-leakage-in-django-administrative-inter/	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2010/12/23/4	mailing-list, x_refsource_MLIST
	http://www.securityfocus.com/archive/1/515446	mailing-list, x_refsource_BUGTRAQ
	http://www.ubuntu.com/usn/USN-1040-1	vendor-advisory, x_refsource_UBUNTU
	http://www.openwall.com/lists/oss-security/2011/01/03/5	mailing-list, x_refsource_MLIST
	http://secunia.com/advisories/42913	third-party-advisory, x_refsource_SECUNIA
	http://evilpacket.net/2010/dec/22/information-leakage-django-administrative-interfac/	x_refsource_MISC
	http://code.djangoproject.com/changeset/15031	x_refsource_CONFIRM
	http://www.vupen.com/english/advisories/2011/0048	vdb-entry, x_refsource_VUPEN
	http://www.vupen.com/english/advisories/2011/0098	vdb-entry, x_refsource_VUPEN
	http://www.djangoproject.com/weblog/2010/dec/22/security/	x_refsource_CONFIRM
	http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053041.html	vendor-advisory, x_refsource_FEDORA
	https://bugzilla.redhat.com/show_bug.cgi?id=665373	x_refsource_CONFIRM
	http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0580.html	mailing-list, x_refsource_FULLDISC
	http://secunia.com/advisories/42715	third-party-advisory, x_refsource_SECUNIA
	http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053072.html	vendor-advisory, x_refsource_FEDORA
	http://secunia.com/advisories/42827	third-party-advisory, x_refsource_SECUNIA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T03:51:17.373Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "45562",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/45562"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://ngenuity-is.com/advisories/2010/dec/22/information-leakage-in-django-administrative-inter/"
          },
          {
            "name": "[oss-security] 20101223 CVE Request -- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 -- addressing two security flaws",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2010/12/23/4"
          },
          {
            "name": "20101223 Django admin list filter data extraction / leakage",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/515446"
          },
          {
            "name": "USN-1040-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-1040-1"
          },
          {
            "name": "[oss-security] 20110103 Re: CVE Request -- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 -- addressing two security flaws",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2011/01/03/5"
          },
          {
            "name": "42913",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/42913"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://evilpacket.net/2010/dec/22/information-leakage-django-administrative-interfac/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://code.djangoproject.com/changeset/15031"
          },
          {
            "name": "ADV-2011-0048",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/0048"
          },
          {
            "name": "ADV-2011-0098",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/0098"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.djangoproject.com/weblog/2010/dec/22/security/"
          },
          {
            "name": "FEDORA-2011-0096",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053041.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=665373"
          },
          {
            "name": "20101223 Django admin list filter data extraction / leakage",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0580.html"
          },
          {
            "name": "42715",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/42715"
          },
          {
            "name": "FEDORA-2011-0120",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053072.html"
          },
          {
            "name": "42827",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/42827"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2010-12-22T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2011-01-19T10:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "45562",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/45562"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://ngenuity-is.com/advisories/2010/dec/22/information-leakage-in-django-administrative-inter/"
        },
        {
          "name": "[oss-security] 20101223 CVE Request -- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 -- addressing two security flaws",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2010/12/23/4"
        },
        {
          "name": "20101223 Django admin list filter data extraction / leakage",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/515446"
        },
        {
          "name": "USN-1040-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-1040-1"
        },
        {
          "name": "[oss-security] 20110103 Re: CVE Request -- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 -- addressing two security flaws",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2011/01/03/5"
        },
        {
          "name": "42913",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/42913"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://evilpacket.net/2010/dec/22/information-leakage-django-administrative-interfac/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://code.djangoproject.com/changeset/15031"
        },
        {
          "name": "ADV-2011-0048",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/0048"
        },
        {
          "name": "ADV-2011-0098",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/0098"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.djangoproject.com/weblog/2010/dec/22/security/"
        },
        {
          "name": "FEDORA-2011-0096",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053041.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=665373"
        },
        {
          "name": "20101223 Django admin list filter data extraction / leakage",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0580.html"
        },
        {
          "name": "42715",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/42715"
        },
        {
          "name": "FEDORA-2011-0120",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053072.html"
        },
        {
          "name": "42827",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/42827"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2010-4534",
    "datePublished": "2011-01-10T19:18:00",
    "dateReserved": "2010-12-09T00:00:00",
    "dateUpdated": "2024-08-07T03:51:17.373Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2019-14235

Vulnerability from cvelistv5

Published

2019-08-02 14:34

Modified

2024-08-05 00:12

Severity ?

Summary

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/	x_refsource_MISC
	https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs	x_refsource_MISC
	https://www.djangoproject.com/weblog/2019/aug/01/security-releases/	x_refsource_CONFIRM
	http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html	vendor-advisory, x_refsource_SUSE
	https://seclists.org/bugtraq/2019/Aug/15	mailing-list, x_refsource_BUGTRAQ
	https://www.debian.org/security/2019/dsa-4498	vendor-advisory, x_refsource_DEBIAN
	http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html	vendor-advisory, x_refsource_SUSE
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/	vendor-advisory, x_refsource_FEDORA
	https://security.netapp.com/advisory/ntap-20190828-0002/	x_refsource_CONFIRM
	https://security.gentoo.org/glsa/202004-17	vendor-advisory, x_refsource_GENTOO

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:12:42.608Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/dev/releases/security/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/"
          },
          {
            "name": "openSUSE-SU-2019:1839",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"
          },
          {
            "name": "20190812 [SECURITY] [DSA 4498-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Aug/15"
          },
          {
            "name": "DSA-4498",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4498"
          },
          {
            "name": "openSUSE-SU-2019:1872",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
          },
          {
            "name": "FEDORA-2019-647f74ce51",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190828-0002/"
          },
          {
            "name": "GLSA-202004-17",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202004-17"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-05-01T01:06:12",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/"
        },
        {
          "name": "openSUSE-SU-2019:1839",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"
        },
        {
          "name": "20190812 [SECURITY] [DSA 4498-1] python-django security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Aug/15"
        },
        {
          "name": "DSA-4498",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4498"
        },
        {
          "name": "openSUSE-SU-2019:1872",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
        },
        {
          "name": "FEDORA-2019-647f74ce51",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190828-0002/"
        },
        {
          "name": "GLSA-202004-17",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202004-17"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-14235",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.djangoproject.com/en/dev/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/"
            },
            {
              "name": "openSUSE-SU-2019:1839",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"
            },
            {
              "name": "20190812 [SECURITY] [DSA 4498-1] python-django security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Aug/15"
            },
            {
              "name": "DSA-4498",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4498"
            },
            {
              "name": "openSUSE-SU-2019:1872",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
            },
            {
              "name": "FEDORA-2019-647f74ce51",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190828-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190828-0002/"
            },
            {
              "name": "GLSA-202004-17",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202004-17"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-14235",
    "datePublished": "2019-08-02T14:34:22",
    "dateReserved": "2019-07-22T00:00:00",
    "dateUpdated": "2024-08-05T00:12:42.608Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2012-3443

Vulnerability from cvelistv5

Published

2012-07-31 17:00

Modified

2024-08-06 20:05

Severity ?

Summary

The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.

References

▼	URL	Tags
	http://www.openwall.com/lists/oss-security/2012/07/31/1	mailing-list, x_refsource_MLIST
	https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/	x_refsource_CONFIRM
	http://www.mandriva.com/security/advisories?name=MDVSA-2012:143	vendor-advisory, x_refsource_MANDRIVA
	http://www.ubuntu.com/usn/USN-1560-1	vendor-advisory, x_refsource_UBUNTU
	http://www.openwall.com/lists/oss-security/2012/07/31/2	mailing-list, x_refsource_MLIST
	http://www.debian.org/security/2012/dsa-2529	vendor-advisory, x_refsource_DEBIAN

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T20:05:12.549Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[oss-security] 20120730 CVE Request: Django 1.3.1 and 1.4.0 security issues",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2012/07/31/1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/"
          },
          {
            "name": "MDVSA-2012:143",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2012:143"
          },
          {
            "name": "USN-1560-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-1560-1"
          },
          {
            "name": "[oss-security] 20120730 Re: CVE Request: Django 1.3.1 and 1.4.0 security issues",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2012/07/31/2"
          },
          {
            "name": "DSA-2529",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2012/dsa-2529"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2012-07-30T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2012-09-29T09:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "[oss-security] 20120730 CVE Request: Django 1.3.1 and 1.4.0 security issues",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2012/07/31/1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/"
        },
        {
          "name": "MDVSA-2012:143",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2012:143"
        },
        {
          "name": "USN-1560-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-1560-1"
        },
        {
          "name": "[oss-security] 20120730 Re: CVE Request: Django 1.3.1 and 1.4.0 security issues",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2012/07/31/2"
        },
        {
          "name": "DSA-2529",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2012/dsa-2529"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2012-3443",
    "datePublished": "2012-07-31T17:00:00",
    "dateReserved": "2012-06-14T00:00:00",
    "dateUpdated": "2024-08-06T20:05:12.549Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-22818

Vulnerability from cvelistv5

Published

2022-02-03 00:00

Modified

2024-08-03 03:21

Severity ?

Summary

The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.0/releases/security/
	https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/	vendor-advisory
	https://security.netapp.com/advisory/ntap-20220221-0003/
	https://www.debian.org/security/2022/dsa-5254	vendor-advisory

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:21:49.173Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"
          },
          {
            "name": "FEDORA-2022-e7fd530688",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220221-0003/"
          },
          {
            "name": "DSA-5254",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5254"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-15T00:00:00",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"
        },
        {
          "name": "FEDORA-2022-e7fd530688",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220221-0003/"
        },
        {
          "name": "DSA-5254",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5254"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-22818",
    "datePublished": "2022-02-03T00:00:00",
    "dateReserved": "2022-01-07T00:00:00",
    "dateUpdated": "2024-08-03T03:21:49.173Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-36359

Vulnerability from cvelistv5

Published

2022-08-03 00:00

Modified

2025-02-13 16:32

Severity ?

Summary

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

References

▼	URL	Tags
	https://docs.djangoproject.com/en/4.0/releases/security/
	http://www.openwall.com/lists/oss-security/2022/08/03/1	mailing-list
	https://groups.google.com/g/django-announce/c/8cz--gvaJr4
	https://www.djangoproject.com/weblog/2022/aug/03/security-releases/
	https://security.netapp.com/advisory/ntap-20220915-0008/
	https://www.debian.org/security/2022/dsa-5254	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/	vendor-advisory

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T10:00:04.235Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "name": "[oss-security] 20220803 Django: CVE-2022-36359: Potential reflected file download vulnerability in FileResponse.",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/08/03/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/django-announce/c/8cz--gvaJr4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/aug/03/security-releases/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220915-0008/"
          },
          {
            "name": "DSA-5254",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5254"
          },
          {
            "name": "FEDORA-2023-8fed428c5e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
          },
          {
            "name": "FEDORA-2023-a53ab7c969",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-28T03:06:19.367Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "name": "[oss-security] 20220803 Django: CVE-2022-36359: Potential reflected file download vulnerability in FileResponse.",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/08/03/1"
        },
        {
          "url": "https://groups.google.com/g/django-announce/c/8cz--gvaJr4"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2022/aug/03/security-releases/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220915-0008/"
        },
        {
          "name": "DSA-5254",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5254"
        },
        {
          "name": "FEDORA-2023-8fed428c5e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
        },
        {
          "name": "FEDORA-2023-a53ab7c969",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-36359",
    "datePublished": "2022-08-03T00:00:00.000Z",
    "dateReserved": "2022-07-21T00:00:00.000Z",
    "dateUpdated": "2025-02-13T16:32:48.215Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2018-14574

Vulnerability from cvelistv5

Published

2018-08-03 17:00

Modified

2024-08-05 09:29

Severity ?

Summary

django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.

References

▼	URL	Tags
	https://www.djangoproject.com/weblog/2018/aug/01/security-releases/	x_refsource_CONFIRM
	https://usn.ubuntu.com/3726-1/	vendor-advisory, x_refsource_UBUNTU
	https://www.debian.org/security/2018/dsa-4264	vendor-advisory, x_refsource_DEBIAN
	http://www.securitytracker.com/id/1041403	vdb-entry, x_refsource_SECTRACK
	https://access.redhat.com/errata/RHSA-2019:0265	vendor-advisory, x_refsource_REDHAT
	http://www.securityfocus.com/bid/104970	vdb-entry, x_refsource_BID

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:29:51.795Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2018/aug/01/security-releases/"
          },
          {
            "name": "USN-3726-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3726-1/"
          },
          {
            "name": "DSA-4264",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4264"
          },
          {
            "name": "1041403",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1041403"
          },
          {
            "name": "RHSA-2019:0265",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0265"
          },
          {
            "name": "104970",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/104970"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-08-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-02-04T10:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2018/aug/01/security-releases/"
        },
        {
          "name": "USN-3726-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3726-1/"
        },
        {
          "name": "DSA-4264",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4264"
        },
        {
          "name": "1041403",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1041403"
        },
        {
          "name": "RHSA-2019:0265",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0265"
        },
        {
          "name": "104970",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/104970"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-14574",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.djangoproject.com/weblog/2018/aug/01/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2018/aug/01/security-releases/"
            },
            {
              "name": "USN-3726-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3726-1/"
            },
            {
              "name": "DSA-4264",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2018/dsa-4264"
            },
            {
              "name": "1041403",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1041403"
            },
            {
              "name": "RHSA-2019:0265",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0265"
            },
            {
              "name": "104970",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/104970"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-14574",
    "datePublished": "2018-08-03T17:00:00",
    "dateReserved": "2018-07-24T00:00:00",
    "dateUpdated": "2024-08-05T09:29:51.795Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2011-0698

Vulnerability from cvelistv5

Published

2011-02-14 20:00

Modified

2024-08-06 21:58

Severity ?

Summary

Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.

References

▼	URL	Tags
	http://www.vupen.com/english/advisories/2011/0439	vdb-entry, x_refsource_VUPEN
	http://openwall.com/lists/oss-security/2011/02/09/6	mailing-list, x_refsource_MLIST
	http://secunia.com/advisories/43230	third-party-advisory, x_refsource_SECUNIA
	http://www.vupen.com/english/advisories/2011/0372	vdb-entry, x_refsource_VUPEN
	http://www.securityfocus.com/bid/46296	vdb-entry, x_refsource_BID
	http://www.mandriva.com/security/advisories?name=MDVSA-2011:031	vendor-advisory, x_refsource_MANDRIVA
	http://www.djangoproject.com/weblog/2011/feb/08/security/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T21:58:26.134Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "ADV-2011-0439",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/0439"
          },
          {
            "name": "[oss-security] 20110209 Django multiple flaws (CVEs inside)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2011/02/09/6"
          },
          {
            "name": "43230",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/43230"
          },
          {
            "name": "ADV-2011-0372",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/0372"
          },
          {
            "name": "46296",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/46296"
          },
          {
            "name": "MDVSA-2011:031",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:031"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.djangoproject.com/weblog/2011/feb/08/security/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2011-02-08T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2011-02-23T10:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "ADV-2011-0439",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/0439"
        },
        {
          "name": "[oss-security] 20110209 Django multiple flaws (CVEs inside)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2011/02/09/6"
        },
        {
          "name": "43230",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/43230"
        },
        {
          "name": "ADV-2011-0372",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/0372"
        },
        {
          "name": "46296",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/46296"
        },
        {
          "name": "MDVSA-2011:031",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:031"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.djangoproject.com/weblog/2011/feb/08/security/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2011-0698",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "ADV-2011-0439",
              "refsource": "VUPEN",
              "url": "http://www.vupen.com/english/advisories/2011/0439"
            },
            {
              "name": "[oss-security] 20110209 Django multiple flaws (CVEs inside)",
              "refsource": "MLIST",
              "url": "http://openwall.com/lists/oss-security/2011/02/09/6"
            },
            {
              "name": "43230",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/43230"
            },
            {
              "name": "ADV-2011-0372",
              "refsource": "VUPEN",
              "url": "http://www.vupen.com/english/advisories/2011/0372"
            },
            {
              "name": "46296",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/46296"
            },
            {
              "name": "MDVSA-2011:031",
              "refsource": "MANDRIVA",
              "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:031"
            },
            {
              "name": "http://www.djangoproject.com/weblog/2011/feb/08/security/",
              "refsource": "CONFIRM",
              "url": "http://www.djangoproject.com/weblog/2011/feb/08/security/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2011-0698",
    "datePublished": "2011-02-14T20:00:00",
    "dateReserved": "2011-01-31T00:00:00",
    "dateUpdated": "2024-08-06T21:58:26.134Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2015-0220

Vulnerability from cvelistv5

Published

2015-01-16 16:00

Modified

2024-08-06 04:03

Severity ?

Summary

The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.

References

▼	URL	Tags
	http://secunia.com/advisories/62718	third-party-advisory, x_refsource_SECUNIA
	http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html	vendor-advisory, x_refsource_FEDORA
	http://ubuntu.com/usn/usn-2469-1	vendor-advisory, x_refsource_UBUNTU
	http://www.mandriva.com/security/advisories?name=MDVSA-2015:036	vendor-advisory, x_refsource_MANDRIVA
	http://secunia.com/advisories/62285	third-party-advisory, x_refsource_SECUNIA
	http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html	vendor-advisory, x_refsource_SUSE
	https://www.djangoproject.com/weblog/2015/jan/13/security/	x_refsource_CONFIRM
	http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html	vendor-advisory, x_refsource_SUSE
	http://secunia.com/advisories/62309	third-party-advisory, x_refsource_SECUNIA
	http://www.mandriva.com/security/advisories?name=MDVSA-2015:109	vendor-advisory, x_refsource_MANDRIVA
	http://advisories.mageia.org/MGASA-2015-0026.html	x_refsource_CONFIRM
	http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html	vendor-advisory, x_refsource_FEDORA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T04:03:10.421Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "62718",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/62718"
          },
          {
            "name": "FEDORA-2015-0804",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
          },
          {
            "name": "USN-2469-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://ubuntu.com/usn/usn-2469-1"
          },
          {
            "name": "MDVSA-2015:036",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:036"
          },
          {
            "name": "62285",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/62285"
          },
          {
            "name": "openSUSE-SU-2015:1598",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
          },
          {
            "name": "openSUSE-SU-2015:0643",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
          },
          {
            "name": "62309",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/62309"
          },
          {
            "name": "MDVSA-2015:109",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
          },
          {
            "name": "FEDORA-2015-0714",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-01-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-12-20T16:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "62718",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/62718"
        },
        {
          "name": "FEDORA-2015-0804",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
        },
        {
          "name": "USN-2469-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://ubuntu.com/usn/usn-2469-1"
        },
        {
          "name": "MDVSA-2015:036",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:036"
        },
        {
          "name": "62285",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/62285"
        },
        {
          "name": "openSUSE-SU-2015:1598",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
        },
        {
          "name": "openSUSE-SU-2015:0643",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
        },
        {
          "name": "62309",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/62309"
        },
        {
          "name": "MDVSA-2015:109",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
        },
        {
          "name": "FEDORA-2015-0714",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-0220",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "62718",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/62718"
            },
            {
              "name": "FEDORA-2015-0804",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html"
            },
            {
              "name": "USN-2469-1",
              "refsource": "UBUNTU",
              "url": "http://ubuntu.com/usn/usn-2469-1"
            },
            {
              "name": "MDVSA-2015:036",
              "refsource": "MANDRIVA",
              "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:036"
            },
            {
              "name": "62285",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/62285"
            },
            {
              "name": "openSUSE-SU-2015:1598",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2015/jan/13/security/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2015/jan/13/security/"
            },
            {
              "name": "openSUSE-SU-2015:0643",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html"
            },
            {
              "name": "62309",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/62309"
            },
            {
              "name": "MDVSA-2015:109",
              "refsource": "MANDRIVA",
              "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:109"
            },
            {
              "name": "http://advisories.mageia.org/MGASA-2015-0026.html",
              "refsource": "CONFIRM",
              "url": "http://advisories.mageia.org/MGASA-2015-0026.html"
            },
            {
              "name": "FEDORA-2015-0714",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-0220",
    "datePublished": "2015-01-16T16:00:00",
    "dateReserved": "2014-11-18T00:00:00",
    "dateUpdated": "2024-08-06T04:03:10.421Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2014-0480

Vulnerability from cvelistv5

Published

2014-08-26 14:00

Modified

2024-08-06 09:20

Severity ?

Summary

The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.

References

▼	URL	Tags
	https://www.djangoproject.com/weblog/2014/aug/20/security/	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/69425	vdb-entry, x_refsource_BID
	http://secunia.com/advisories/61276	third-party-advisory, x_refsource_SECUNIA
	http://secunia.com/advisories/61281	third-party-advisory, x_refsource_SECUNIA
	http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html	vendor-advisory, x_refsource_SUSE
	http://www.debian.org/security/2014/dsa-3010	vendor-advisory, x_refsource_DEBIAN
	http://secunia.com/advisories/59782	third-party-advisory, x_refsource_SECUNIA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T09:20:18.389Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2014/aug/20/security/"
          },
          {
            "name": "69425",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/69425"
          },
          {
            "name": "61276",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/61276"
          },
          {
            "name": "61281",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/61281"
          },
          {
            "name": "openSUSE-SU-2014:1132",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
          },
          {
            "name": "DSA-3010",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2014/dsa-3010"
          },
          {
            "name": "59782",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/59782"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-08-20T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-01-04T17:57:01",
        "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
        "shortName": "debian"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2014/aug/20/security/"
        },
        {
          "name": "69425",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/69425"
        },
        {
          "name": "61276",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/61276"
        },
        {
          "name": "61281",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/61281"
        },
        {
          "name": "openSUSE-SU-2014:1132",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
        },
        {
          "name": "DSA-3010",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2014/dsa-3010"
        },
        {
          "name": "59782",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/59782"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@debian.org",
          "ID": "CVE-2014-0480",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.djangoproject.com/weblog/2014/aug/20/security/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2014/aug/20/security/"
            },
            {
              "name": "69425",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/69425"
            },
            {
              "name": "61276",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/61276"
            },
            {
              "name": "61281",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/61281"
            },
            {
              "name": "openSUSE-SU-2014:1132",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
            },
            {
              "name": "DSA-3010",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2014/dsa-3010"
            },
            {
              "name": "59782",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/59782"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
    "assignerShortName": "debian",
    "cveId": "CVE-2014-0480",
    "datePublished": "2014-08-26T14:00:00",
    "dateReserved": "2013-12-19T00:00:00",
    "dateUpdated": "2024-08-06T09:20:18.389Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2010-3082

Vulnerability from cvelistv5

Published

2010-09-14 18:00

Modified

2024-08-07 02:55

Severity ?

Summary

Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.

References

▼	URL	Tags
	http://www.ubuntu.com/usn/USN-1004-1	vendor-advisory, x_refsource_UBUNTU
	https://exchange.xforce.ibmcloud.com/vulnerabilities/61729	vdb-entry, x_refsource_XF
	http://www.securityfocus.com/bid/43116	vdb-entry, x_refsource_BID
	http://marc.info/?l=oss-security&m=128403961700444&w=2	mailing-list, x_refsource_MLIST
	https://bugzilla.redhat.com/show_bug.cgi?id=632239	x_refsource_CONFIRM
	http://www.djangoproject.com/weblog/2010/sep/08/security-release/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T02:55:46.621Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-1004-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-1004-1"
          },
          {
            "name": "django-token-csrf(61729)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/61729"
          },
          {
            "name": "43116",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/43116"
          },
          {
            "name": "[oss-security] 20100909 CVE Assignment: django",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://marc.info/?l=oss-security\u0026m=128403961700444\u0026w=2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=632239"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.djangoproject.com/weblog/2010/sep/08/security-release/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2010-09-08T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-16T14:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "USN-1004-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-1004-1"
        },
        {
          "name": "django-token-csrf(61729)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/61729"
        },
        {
          "name": "43116",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/43116"
        },
        {
          "name": "[oss-security] 20100909 CVE Assignment: django",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://marc.info/?l=oss-security\u0026m=128403961700444\u0026w=2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=632239"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.djangoproject.com/weblog/2010/sep/08/security-release/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2010-3082",
    "datePublished": "2010-09-14T18:00:00",
    "dateReserved": "2010-08-20T00:00:00",
    "dateUpdated": "2024-08-07T02:55:46.621Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2014-0483

Vulnerability from cvelistv5

Published

2014-08-26 14:00

Modified

2024-08-06 09:20

Severity ?

Summary

The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.

References

▼	URL	Tags
	https://www.djangoproject.com/weblog/2014/aug/20/security/	x_refsource_CONFIRM
	http://secunia.com/advisories/61276	third-party-advisory, x_refsource_SECUNIA
	http://secunia.com/advisories/61281	third-party-advisory, x_refsource_SECUNIA
	http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html	vendor-advisory, x_refsource_SUSE
	http://www.debian.org/security/2014/dsa-3010	vendor-advisory, x_refsource_DEBIAN
	https://github.com/django/django/commit/2b31342cdf14fc20e07c43d258f1e7334ad664a6	x_refsource_CONFIRM
	http://secunia.com/advisories/59782	third-party-advisory, x_refsource_SECUNIA

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T09:20:18.489Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2014/aug/20/security/"
          },
          {
            "name": "61276",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/61276"
          },
          {
            "name": "61281",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/61281"
          },
          {
            "name": "openSUSE-SU-2014:1132",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
          },
          {
            "name": "DSA-3010",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2014/dsa-3010"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/2b31342cdf14fc20e07c43d258f1e7334ad664a6"
          },
          {
            "name": "59782",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/59782"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-08-20T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1\u0026t=password URI."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-01-04T17:57:01",
        "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
        "shortName": "debian"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2014/aug/20/security/"
        },
        {
          "name": "61276",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/61276"
        },
        {
          "name": "61281",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/61281"
        },
        {
          "name": "openSUSE-SU-2014:1132",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
        },
        {
          "name": "DSA-3010",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2014/dsa-3010"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/django/django/commit/2b31342cdf14fc20e07c43d258f1e7334ad664a6"
        },
        {
          "name": "59782",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/59782"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@debian.org",
          "ID": "CVE-2014-0483",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1\u0026t=password URI."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.djangoproject.com/weblog/2014/aug/20/security/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2014/aug/20/security/"
            },
            {
              "name": "61276",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/61276"
            },
            {
              "name": "61281",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/61281"
            },
            {
              "name": "openSUSE-SU-2014:1132",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
            },
            {
              "name": "DSA-3010",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2014/dsa-3010"
            },
            {
              "name": "https://github.com/django/django/commit/2b31342cdf14fc20e07c43d258f1e7334ad664a6",
              "refsource": "CONFIRM",
              "url": "https://github.com/django/django/commit/2b31342cdf14fc20e07c43d258f1e7334ad664a6"
            },
            {
              "name": "59782",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/59782"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
    "assignerShortName": "debian",
    "cveId": "CVE-2014-0483",
    "datePublished": "2014-08-26T14:00:00",
    "dateReserved": "2013-12-19T00:00:00",
    "dateUpdated": "2024-08-06T09:20:18.489Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2014-1418

Vulnerability from cvelistv5

Published

2014-05-16 15:00

Modified

2024-08-06 09:42

Severity ?

Summary

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers.

References

▼	URL	Tags
	http://secunia.com/advisories/61281	third-party-advisory, x_refsource_SECUNIA
	http://www.debian.org/security/2014/dsa-2934	vendor-advisory, x_refsource_DEBIAN
	http://ubuntu.com/usn/usn-2212-1	vendor-advisory, x_refsource_UBUNTU
	http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html	vendor-advisory, x_refsource_SUSE
	http://www.openwall.com/lists/oss-security/2014/05/15/3	mailing-list, x_refsource_MLIST
	https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2014/05/14/10	mailing-list, x_refsource_MLIST

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T09:42:35.452Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "61281",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/61281"
          },
          {
            "name": "DSA-2934",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2014/dsa-2934"
          },
          {
            "name": "USN-2212-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://ubuntu.com/usn/usn-2212-1"
          },
          {
            "name": "openSUSE-SU-2014:1132",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
          },
          {
            "name": "[oss-security] 20140514 Re: CVE Reuest: Django: Malformed URLs from user input incorrectly validated",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2014/05/15/3"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/"
          },
          {
            "name": "[oss-security] 20140514 CVE Reuest: Django: Malformed URLs from user input incorrectly validated",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2014/05/14/10"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-05-14T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-01-04T17:57:01",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "name": "61281",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/61281"
        },
        {
          "name": "DSA-2934",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2014/dsa-2934"
        },
        {
          "name": "USN-2212-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://ubuntu.com/usn/usn-2212-1"
        },
        {
          "name": "openSUSE-SU-2014:1132",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
        },
        {
          "name": "[oss-security] 20140514 Re: CVE Reuest: Django: Malformed URLs from user input incorrectly validated",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2014/05/15/3"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/"
        },
        {
          "name": "[oss-security] 20140514 CVE Reuest: Django: Malformed URLs from user input incorrectly validated",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2014/05/14/10"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@ubuntu.com",
          "ID": "CVE-2014-1418",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "61281",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/61281"
            },
            {
              "name": "DSA-2934",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2014/dsa-2934"
            },
            {
              "name": "USN-2212-1",
              "refsource": "UBUNTU",
              "url": "http://ubuntu.com/usn/usn-2212-1"
            },
            {
              "name": "openSUSE-SU-2014:1132",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
            },
            {
              "name": "[oss-security] 20140514 Re: CVE Reuest: Django: Malformed URLs from user input incorrectly validated",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2014/05/15/3"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/"
            },
            {
              "name": "[oss-security] 20140514 CVE Reuest: Django: Malformed URLs from user input incorrectly validated",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2014/05/14/10"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2014-1418",
    "datePublished": "2014-05-16T15:00:00",
    "dateReserved": "2014-01-13T00:00:00",
    "dateUpdated": "2024-08-06T09:42:35.452Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-43665

Vulnerability from cvelistv5

Published

2023-11-03 00:00

Modified

2024-08-02 19:44

Severity ?

Summary

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.

References

▼	URL	Tags
	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.2/releases/security/
	https://www.djangoproject.com/weblog/2023/oct/04/security-releases/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/	vendor-advisory
	https://security.netapp.com/advisory/ntap-20231221-0001/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/	vendor-advisory
	http://www.openwall.com/lists/oss-security/2024/03/04/1	mailing-list

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:44:43.929Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.2/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2023/oct/04/security-releases/"
          },
          {
            "name": "FEDORA-2023-a67af7d8f4",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20231221-0001/"
          },
          {
            "name": "FEDORA-2024-84fbbbb914",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
          },
          {
            "name": "[oss-security] 20240304 Django: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/04/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-01T17:09:51.000328",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.2/releases/security/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2023/oct/04/security-releases/"
        },
        {
          "name": "FEDORA-2023-a67af7d8f4",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20231221-0001/"
        },
        {
          "name": "FEDORA-2024-84fbbbb914",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
        },
        {
          "name": "[oss-security] 20240304 Django: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2024/03/04/1"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-43665",
    "datePublished": "2023-11-03T00:00:00",
    "dateReserved": "2023-09-20T00:00:00",
    "dateUpdated": "2024-08-02T19:44:43.929Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2011-4139

Vulnerability from cvelistv5

Published

2011-10-19 10:00

Modified

2024-08-07 00:01

Severity ?

Summary

Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.

References

▼	URL	Tags
	https://hermes.opensuse.org/messages/14700881	vendor-advisory, x_refsource_SUSE
	http://www.debian.org/security/2011/dsa-2332	vendor-advisory, x_refsource_DEBIAN
	https://bugzilla.redhat.com/show_bug.cgi?id=737366	x_refsource_CONFIRM
	http://secunia.com/advisories/46614	third-party-advisory, x_refsource_SECUNIA
	http://openwall.com/lists/oss-security/2011/09/11/1	mailing-list, x_refsource_MLIST
	https://www.djangoproject.com/weblog/2011/sep/10/127/	x_refsource_CONFIRM
	http://openwall.com/lists/oss-security/2011/09/13/2	mailing-list, x_refsource_MLIST
	https://www.djangoproject.com/weblog/2011/sep/09/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T00:01:50.429Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "openSUSE-SU-2012:0653",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "https://hermes.opensuse.org/messages/14700881"
          },
          {
            "name": "DSA-2332",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2011/dsa-2332"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=737366"
          },
          {
            "name": "46614",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/46614"
          },
          {
            "name": "[oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2011/09/11/1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2011/sep/10/127/"
          },
          {
            "name": "[oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2011/09/13/2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2011/sep/09/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2011-09-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Django before 1.2.7 and 1.3.x before 1.3.1 uses a request\u0027s HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-17T19:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "openSUSE-SU-2012:0653",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "https://hermes.opensuse.org/messages/14700881"
        },
        {
          "name": "DSA-2332",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2011/dsa-2332"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=737366"
        },
        {
          "name": "46614",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/46614"
        },
        {
          "name": "[oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2011/09/11/1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2011/sep/10/127/"
        },
        {
          "name": "[oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2011/09/13/2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2011/sep/09/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2011-4139",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Django before 1.2.7 and 1.3.x before 1.3.1 uses a request\u0027s HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "openSUSE-SU-2012:0653",
              "refsource": "SUSE",
              "url": "https://hermes.opensuse.org/messages/14700881"
            },
            {
              "name": "DSA-2332",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2011/dsa-2332"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=737366",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=737366"
            },
            {
              "name": "46614",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/46614"
            },
            {
              "name": "[oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
              "refsource": "MLIST",
              "url": "http://openwall.com/lists/oss-security/2011/09/11/1"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2011/sep/10/127/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2011/sep/10/127/"
            },
            {
              "name": "[oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws",
              "refsource": "MLIST",
              "url": "http://openwall.com/lists/oss-security/2011/09/13/2"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2011/sep/09/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2011/sep/09/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2011-4139",
    "datePublished": "2011-10-19T10:00:00",
    "dateReserved": "2011-10-19T00:00:00",
    "dateUpdated": "2024-08-07T00:01:50.429Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2019-12781

Vulnerability from cvelistv5

Published

2019-07-01 13:56

Modified

2024-08-04 23:32

Severity ?

Summary

An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.

References

▼	URL	Tags
	https://docs.djangoproject.com/en/dev/releases/security/	x_refsource_MISC
	https://groups.google.com/forum/#%21topic/django-announce/Is4kLY9ZcZQ	x_refsource_MISC
	https://www.djangoproject.com/weblog/2019/jul/01/security-releases/	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2019/07/01/3	mailing-list, x_refsource_MLIST
	https://usn.ubuntu.com/4043-1/	vendor-advisory, x_refsource_UBUNTU
	http://www.securityfocus.com/bid/109018	vdb-entry, x_refsource_BID
	https://security.netapp.com/advisory/ntap-20190705-0002/	x_refsource_CONFIRM
	https://www.debian.org/security/2019/dsa-4476	vendor-advisory, x_refsource_DEBIAN
	https://seclists.org/bugtraq/2019/Jul/10	mailing-list, x_refsource_BUGTRAQ
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5VXXWIOQGXOB7JCGJ3CVUW673LDHKEYL/	vendor-advisory, x_refsource_FEDORA
	http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html	vendor-advisory, x_refsource_SUSE

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:32:54.914Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/dev/releases/security/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/django-announce/Is4kLY9ZcZQ"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2019/jul/01/security-releases/"
          },
          {
            "name": "[oss-security] 20190701 Django: CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2019/07/01/3"
          },
          {
            "name": "USN-4043-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4043-1/"
          },
          {
            "name": "109018",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/109018"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190705-0002/"
          },
          {
            "name": "DSA-4476",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4476"
          },
          {
            "name": "20190708 [SECURITY] [DSA 4476-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Jul/10"
          },
          {
            "name": "FEDORA-2019-d9aa58d863",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5VXXWIOQGXOB7JCGJ3CVUW673LDHKEYL/"
          },
          {
            "name": "openSUSE-SU-2019:1839",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"
          },
          {
            "name": "openSUSE-SU-2019:1872",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-08-14T14:06:07",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21topic/django-announce/Is4kLY9ZcZQ"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2019/jul/01/security-releases/"
        },
        {
          "name": "[oss-security] 20190701 Django: CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2019/07/01/3"
        },
        {
          "name": "USN-4043-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4043-1/"
        },
        {
          "name": "109018",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/109018"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190705-0002/"
        },
        {
          "name": "DSA-4476",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4476"
        },
        {
          "name": "20190708 [SECURITY] [DSA 4476-1] python-django security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Jul/10"
        },
        {
          "name": "FEDORA-2019-d9aa58d863",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5VXXWIOQGXOB7JCGJ3CVUW673LDHKEYL/"
        },
        {
          "name": "openSUSE-SU-2019:1839",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"
        },
        {
          "name": "openSUSE-SU-2019:1872",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-12781",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.djangoproject.com/en/dev/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "https://groups.google.com/forum/#!topic/django-announce/Is4kLY9ZcZQ",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!topic/django-announce/Is4kLY9ZcZQ"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2019/jul/01/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2019/jul/01/security-releases/"
            },
            {
              "name": "[oss-security] 20190701 Django: CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2019/07/01/3"
            },
            {
              "name": "USN-4043-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4043-1/"
            },
            {
              "name": "109018",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/109018"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190705-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190705-0002/"
            },
            {
              "name": "DSA-4476",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4476"
            },
            {
              "name": "20190708 [SECURITY] [DSA 4476-1] python-django security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Jul/10"
            },
            {
              "name": "FEDORA-2019-d9aa58d863",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5VXXWIOQGXOB7JCGJ3CVUW673LDHKEYL/"
            },
            {
              "name": "openSUSE-SU-2019:1839",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"
            },
            {
              "name": "openSUSE-SU-2019:1872",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-12781",
    "datePublished": "2019-07-01T13:56:37",
    "dateReserved": "2019-06-10T00:00:00",
    "dateUpdated": "2024-08-04T23:32:54.914Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2013-4249

Vulnerability from cvelistv5

Published

2013-10-04 17:00

Modified

2024-08-06 16:38

Severity ?

Summary

Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField.

References

▼	URL	Tags
	http://www.securitytracker.com/id/1028915	vdb-entry, x_refsource_SECTRACK
	http://secunia.com/advisories/54476	third-party-advisory, x_refsource_SECUNIA
	http://seclists.org/oss-sec/2013/q3/369	mailing-list, x_refsource_MLIST
	https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78	x_refsource_CONFIRM
	https://exchange.xforce.ibmcloud.com/vulnerabilities/86438	vdb-entry, x_refsource_XF
	https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued	x_refsource_CONFIRM
	https://github.com/django/django/commit/cbe6d5568f4f5053ed7228ca3c3d0cce77cf9560	x_refsource_CONFIRM
	http://seclists.org/oss-sec/2013/q3/411	mailing-list, x_refsource_MLIST

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T16:38:01.847Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1028915",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1028915"
          },
          {
            "name": "54476",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/54476"
          },
          {
            "name": "[oss-security] 20130814 [CVE request] Django 1.4.6 security release",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://seclists.org/oss-sec/2013/q3/369"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78"
          },
          {
            "name": "django-administrative-xss(86438)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86438"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/cbe6d5568f4f5053ed7228ca3c3d0cce77cf9560"
          },
          {
            "name": "[oss-security] 20130819 Re: [CVE request] Django 1.4.6 security release",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://seclists.org/oss-sec/2013/q3/411"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2013-08-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-28T12:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "1028915",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1028915"
        },
        {
          "name": "54476",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/54476"
        },
        {
          "name": "[oss-security] 20130814 [CVE request] Django 1.4.6 security release",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://seclists.org/oss-sec/2013/q3/369"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78"
        },
        {
          "name": "django-administrative-xss(86438)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86438"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/django/django/commit/cbe6d5568f4f5053ed7228ca3c3d0cce77cf9560"
        },
        {
          "name": "[oss-security] 20130819 Re: [CVE request] Django 1.4.6 security release",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://seclists.org/oss-sec/2013/q3/411"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2013-4249",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1028915",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1028915"
            },
            {
              "name": "54476",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/54476"
            },
            {
              "name": "[oss-security] 20130814 [CVE request] Django 1.4.6 security release",
              "refsource": "MLIST",
              "url": "http://seclists.org/oss-sec/2013/q3/369"
            },
            {
              "name": "https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78",
              "refsource": "CONFIRM",
              "url": "https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78"
            },
            {
              "name": "django-administrative-xss(86438)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86438"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued"
            },
            {
              "name": "https://github.com/django/django/commit/cbe6d5568f4f5053ed7228ca3c3d0cce77cf9560",
              "refsource": "CONFIRM",
              "url": "https://github.com/django/django/commit/cbe6d5568f4f5053ed7228ca3c3d0cce77cf9560"
            },
            {
              "name": "[oss-security] 20130819 Re: [CVE request] Django 1.4.6 security release",
              "refsource": "MLIST",
              "url": "http://seclists.org/oss-sec/2013/q3/411"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2013-4249",
    "datePublished": "2013-10-04T17:00:00",
    "dateReserved": "2013-06-12T00:00:00",
    "dateUpdated": "2024-08-06T16:38:01.847Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-33571

Vulnerability from cvelistv5

Published

2021-06-08 00:00

Modified

2024-08-03 23:50

Severity ?

Summary

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .

References

▼	URL	Tags
	https://docs.djangoproject.com/en/3.2/releases/security/
	https://groups.google.com/g/django-announce/c/sPyjSKMi8Eo
	https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
	https://security.netapp.com/advisory/ntap-20210727-0004/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/	vendor-advisory
	https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc
	https://github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118e
	https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:50:43.143Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/3.2/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/django-announce/c/sPyjSKMi8Eo"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2021/jun/02/security-releases/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210727-0004/"
          },
          {
            "name": "FEDORA-2022-e7fd530688",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) ."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-07T22:09:18.547259",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://docs.djangoproject.com/en/3.2/releases/security/"
        },
        {
          "url": "https://groups.google.com/g/django-announce/c/sPyjSKMi8Eo"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2021/jun/02/security-releases/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20210727-0004/"
        },
        {
          "name": "FEDORA-2022-e7fd530688",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
        },
        {
          "url": "https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc"
        },
        {
          "url": "https://github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118e"
        },
        {
          "url": "https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-33571",
    "datePublished": "2021-06-08T00:00:00",
    "dateReserved": "2021-05-25T00:00:00",
    "dateUpdated": "2024-08-03T23:50:43.143Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2013-4315

Vulnerability from cvelistv5

Published

2013-09-16 19:00

Modified

2024-08-06 16:38

Severity ?

Summary

Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag.

References

▼	URL	Tags
	http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html	vendor-advisory, x_refsource_SUSE
	http://secunia.com/advisories/54772	third-party-advisory, x_refsource_SECUNIA
	http://rhn.redhat.com/errata/RHSA-2013-1521.html	vendor-advisory, x_refsource_REDHAT
	https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/	x_refsource_CONFIRM
	http://secunia.com/advisories/54828	third-party-advisory, x_refsource_SECUNIA
	http://www.debian.org/security/2013/dsa-2755	vendor-advisory, x_refsource_DEBIAN

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T16:38:01.925Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "openSUSE-SU-2013:1541",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html"
          },
          {
            "name": "54772",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/54772"
          },
          {
            "name": "RHSA-2013:1521",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2013-1521.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/"
          },
          {
            "name": "54828",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/54828"
          },
          {
            "name": "DSA-2755",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2013/dsa-2755"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2013-09-10T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2013-12-09T05:57:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "openSUSE-SU-2013:1541",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html"
        },
        {
          "name": "54772",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/54772"
        },
        {
          "name": "RHSA-2013:1521",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2013-1521.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/"
        },
        {
          "name": "54828",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/54828"
        },
        {
          "name": "DSA-2755",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2013/dsa-2755"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2013-4315",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "openSUSE-SU-2013:1541",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html"
            },
            {
              "name": "54772",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/54772"
            },
            {
              "name": "RHSA-2013:1521",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2013-1521.html"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/"
            },
            {
              "name": "54828",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/54828"
            },
            {
              "name": "DSA-2755",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2013/dsa-2755"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2013-4315",
    "datePublished": "2013-09-16T19:00:00",
    "dateReserved": "2013-06-12T00:00:00",
    "dateUpdated": "2024-08-06T16:38:01.925Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2015-8213

Vulnerability from cvelistv5

Published

2015-12-07 20:00

Modified

2024-08-06 08:13

Severity ?

Summary

The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.

References

▼	URL	Tags
	https://github.com/django/django/commit/316bc3fc9437c5960c24baceb93c73f1939711e4	x_refsource_CONFIRM
	http://lists.opensuse.org/opensuse-updates/2015-12/msg00014.html	vendor-advisory, x_refsource_SUSE
	http://www.ubuntu.com/usn/USN-2816-1	vendor-advisory, x_refsource_UBUNTU
	http://rhn.redhat.com/errata/RHSA-2016-0129.html	vendor-advisory, x_refsource_REDHAT
	https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/	x_refsource_CONFIRM
	http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174770.html	vendor-advisory, x_refsource_FEDORA
	http://www.securitytracker.com/id/1034237	vdb-entry, x_refsource_SECTRACK
	http://rhn.redhat.com/errata/RHSA-2016-0158.html	vendor-advisory, x_refsource_REDHAT
	http://rhn.redhat.com/errata/RHSA-2016-0157.html	vendor-advisory, x_refsource_REDHAT
	http://www.debian.org/security/2015/dsa-3404	vendor-advisory, x_refsource_DEBIAN
	http://rhn.redhat.com/errata/RHSA-2016-0156.html	vendor-advisory, x_refsource_REDHAT
	http://www.securityfocus.com/bid/77750	vdb-entry, x_refsource_BID
	http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173375.html	vendor-advisory, x_refsource_FEDORA
	http://lists.opensuse.org/opensuse-updates/2015-12/msg00017.html	vendor-advisory, x_refsource_SUSE

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T08:13:31.831Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/316bc3fc9437c5960c24baceb93c73f1939711e4"
          },
          {
            "name": "openSUSE-SU-2015:2199",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00014.html"
          },
          {
            "name": "USN-2816-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2816-1"
          },
          {
            "name": "RHSA-2016:0129",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0129.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/"
          },
          {
            "name": "FEDORA-2015-323274d412",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174770.html"
          },
          {
            "name": "1034237",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1034237"
          },
          {
            "name": "RHSA-2016:0158",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0158.html"
          },
          {
            "name": "RHSA-2016:0157",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0157.html"
          },
          {
            "name": "DSA-3404",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2015/dsa-3404"
          },
          {
            "name": "RHSA-2016:0156",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0156.html"
          },
          {
            "name": "77750",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/77750"
          },
          {
            "name": "FEDORA-2015-a8c8f60fbd",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173375.html"
          },
          {
            "name": "openSUSE-SU-2015:2202",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-11-24T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-12-05T20:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/django/django/commit/316bc3fc9437c5960c24baceb93c73f1939711e4"
        },
        {
          "name": "openSUSE-SU-2015:2199",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00014.html"
        },
        {
          "name": "USN-2816-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2816-1"
        },
        {
          "name": "RHSA-2016:0129",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0129.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/"
        },
        {
          "name": "FEDORA-2015-323274d412",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174770.html"
        },
        {
          "name": "1034237",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1034237"
        },
        {
          "name": "RHSA-2016:0158",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0158.html"
        },
        {
          "name": "RHSA-2016:0157",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0157.html"
        },
        {
          "name": "DSA-3404",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2015/dsa-3404"
        },
        {
          "name": "RHSA-2016:0156",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0156.html"
        },
        {
          "name": "77750",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/77750"
        },
        {
          "name": "FEDORA-2015-a8c8f60fbd",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173375.html"
        },
        {
          "name": "openSUSE-SU-2015:2202",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00017.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-8213",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/django/django/commit/316bc3fc9437c5960c24baceb93c73f1939711e4",
              "refsource": "CONFIRM",
              "url": "https://github.com/django/django/commit/316bc3fc9437c5960c24baceb93c73f1939711e4"
            },
            {
              "name": "openSUSE-SU-2015:2199",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00014.html"
            },
            {
              "name": "USN-2816-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2816-1"
            },
            {
              "name": "RHSA-2016:0129",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0129.html"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/"
            },
            {
              "name": "FEDORA-2015-323274d412",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174770.html"
            },
            {
              "name": "1034237",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1034237"
            },
            {
              "name": "RHSA-2016:0158",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0158.html"
            },
            {
              "name": "RHSA-2016:0157",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0157.html"
            },
            {
              "name": "DSA-3404",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2015/dsa-3404"
            },
            {
              "name": "RHSA-2016:0156",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0156.html"
            },
            {
              "name": "77750",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/77750"
            },
            {
              "name": "FEDORA-2015-a8c8f60fbd",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173375.html"
            },
            {
              "name": "openSUSE-SU-2015:2202",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00017.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-8213",
    "datePublished": "2015-12-07T20:00:00",
    "dateReserved": "2015-11-14T00:00:00",
    "dateUpdated": "2024-08-06T08:13:31.831Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2014-0474

Vulnerability from cvelistv5

Published

2014-04-23 14:00

Modified

2024-08-06 09:20

Severity ?

Summary

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."

References

▼	URL	Tags
	http://www.ubuntu.com/usn/USN-2169-1	vendor-advisory, x_refsource_UBUNTU
	https://www.djangoproject.com/weblog/2014/apr/21/security/	x_refsource_CONFIRM
	http://rhn.redhat.com/errata/RHSA-2014-0457.html	vendor-advisory, x_refsource_REDHAT
	http://secunia.com/advisories/61281	third-party-advisory, x_refsource_SECUNIA
	http://www.debian.org/security/2014/dsa-2934	vendor-advisory, x_refsource_DEBIAN
	http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html	vendor-advisory, x_refsource_SUSE
	http://rhn.redhat.com/errata/RHSA-2014-0456.html	vendor-advisory, x_refsource_REDHAT

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T09:20:18.434Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-2169-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2169-1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2014/apr/21/security/"
          },
          {
            "name": "RHSA-2014:0457",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html"
          },
          {
            "name": "61281",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/61281"
          },
          {
            "name": "DSA-2934",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2014/dsa-2934"
          },
          {
            "name": "openSUSE-SU-2014:1132",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
          },
          {
            "name": "RHSA-2014:0456",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0456.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-04-21T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to \"MySQL typecasting.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-01-04T17:57:01",
        "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
        "shortName": "debian"
      },
      "references": [
        {
          "name": "USN-2169-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2169-1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2014/apr/21/security/"
        },
        {
          "name": "RHSA-2014:0457",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html"
        },
        {
          "name": "61281",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/61281"
        },
        {
          "name": "DSA-2934",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2014/dsa-2934"
        },
        {
          "name": "openSUSE-SU-2014:1132",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
        },
        {
          "name": "RHSA-2014:0456",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2014-0456.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@debian.org",
          "ID": "CVE-2014-0474",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to \"MySQL typecasting.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-2169-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2169-1"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2014/apr/21/security/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2014/apr/21/security/"
            },
            {
              "name": "RHSA-2014:0457",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html"
            },
            {
              "name": "61281",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/61281"
            },
            {
              "name": "DSA-2934",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2014/dsa-2934"
            },
            {
              "name": "openSUSE-SU-2014:1132",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
            },
            {
              "name": "RHSA-2014:0456",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0456.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
    "assignerShortName": "debian",
    "cveId": "CVE-2014-0474",
    "datePublished": "2014-04-23T14:00:00",
    "dateReserved": "2013-12-19T00:00:00",
    "dateUpdated": "2024-08-06T09:20:18.434Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

All the vulnerabilites related to djangoproject - Django

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5