Debian Python-Django vulnerabilities

CVE-2023-23969 [HIGH] CVE-2023-23969: python-django - In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed ... In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. Scope: local bookworm: resolved (fixed in 3:3.2.17-1) bullseye

CVE-2023-36053 [HIGH] CVE-2023-36053: python-django - In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidat... In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs. Scope: local bookworm: resolved (fixed in 3:3.2.19-1+deb12u1) bullseye: resolved (fixed in 2:2.2.28-1~deb11u2) forky:

CVE-2023-41164 [HIGH] CVE-2023-41164: python-django - In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.uti... In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters. Scope: local bookworm: resolved (fixed in 3:3.2.25-0+deb12u1) bullseye: resolved (fixed in 2:2.2.28-1~deb11u7) forky: resolved (fixed

CVE-2023-43665 [HIGH] CVE-2023-43665: python-django - In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django... In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html an

CVE-2023-24580 [HIGH] CVE-2023-24580: python-django - An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2... An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack. Scope: local bookworm: resolved (fi

CVE-2023-46695 [HIGH] CVE-2023-46695: python-django - An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 ... An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters. Scope: local bookworm: resolved bullseye: r

CVE-2022-34265 [CRITICAL] CVE-2022-34265: python-django - An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Tr... An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. Scope: local bookworm: resolved (fixed in 2:4.0.6-1) bulls

CVE-2022-28346 [CRITICAL] CVE-2022-28346: python-django - An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 ... An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs. Scope: local bookworm: resolved (fixed in 2:3.2.13-1) bullseye: resolved (fixed in 2:2

CVE-2022-28347 [CRITICAL] CVE-2022-28347: python-django - A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before ... A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name. Scope: local bookworm: resolved (fixed in 2:3.2.13-1) bullseye: resolved (fix

CVE-2022-41323 [HIGH] CVE-2022-41323: python-django - In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internation... In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. Scope: local bookworm: resolved (fixed in 3:3.2.16-1) bullseye: resolved (fixed in 2:2.2.28-1~deb11u1) forky: resolved (fixed in 3:3.2.16-1) sid: res

CVE-2022-23833 [HIGH] CVE-2022-23833: python-django - An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 befo... An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files. Scope: local bookworm: resolved (fixed in 2:3.2.12-1) bullseye: resolved (fixed in 2:2.2.28-1~deb11u1) forky: resolved (fixed in 2:3.2.12-1) sid: resolved

CVE-2022-36359 [HIGH] CVE-2022-36359: python-django - An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.... An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. Scope: local bookworm: resolved (fixed in 3:3.2.15-1) bullseye: resolved

CVE-2022-22818 [MEDIUM] CVE-2022-22818: python-django - The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and... The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS. Scope: local bookworm: resolved (fixed in 2:3.2.12-1) bullseye: resolved (fixed in 2:2.2.28-1~deb11u1) forky: resolved (fixed in 2:3.2.12-1) sid: resolved (fixed in 2:3.2.12-1) trixie: resolved

CVE-2021-45116 [HIGH] CVE-2021-45116: python-django - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 ... An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key. Scope: local bookworm: resolved (fixed in 2:3

CVE-2021-31542 [HIGH] CVE-2021-31542: python-django - In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartPa... In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names. Scope: local bookworm: resolved (fixed in 2:2.2.21-1) bullseye: resolved (fixed in 2:2.2.21-1) forky: resolved (fixed in 2:2.2.21-1) sid: resolved (fixed in 2:2.2.21-1

CVE-2021-44420 [HIGH] CVE-2021-44420: python-django - In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requ... In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. Scope: local bookworm: resolved (fixed in 2:3.2.10-1) bullseye: resolved (fixed in 2:2.2.25-1~deb11u1) forky: resolved (fixed in 2:3.2.10-1) sid: resolved (fixed in 2:3.2.10-1) trixie: res

CVE-2021-33571 [HIGH] CVE-2021-33571: python-django - In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidat... In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) . Scope:

CVE-2021-45115 [HIGH] CVE-2021-45115: python-django - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 ... An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for

CVE-2021-23336 [MEDIUM] CVE-2021-23336: pypy3 - The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.1... The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a diff

CVE-2021-33203 [MEDIUM] CVE-2021-33203: python-django - Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential ... Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file content