Debian Python-Django vulnerabilities

CVE-2021-3281 [MEDIUM] CVE-2021-3281: python-django - In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django... In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments. Scope: local bookworm: resolved (fixed in 2:2.2.18-1) bullseye: resolved (fixed in 2:2.2.18

CVE-2021-45452 [MEDIUM] CVE-2021-45452: python-django - Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.... Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it. Scope: local bookworm: resolved (fixed in 2:3.2.11-1) bullseye: resolved (fixed in 2:2.2.26-1~deb11u1) forky: resolved (fixed in 2:3.2.11-1) sid: resolved (fixed in 2:3.2.11-1) trixie: resolved (fixed in

CVE-2021-28658 [MEDIUM] CVE-2021-28658: python-django - In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartP... In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability. Scope: local bookworm: resolved (fixed in 2:2.2.20-1) bullseye: resolved (fixed in 2:2.2.20-1) forky: resolved (fixed in 2:2.2.

CVE-2021-32052 [MEDIUM] CVE-2021-32052: python-django - In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Pytho... In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.

CVE-2021-35042 [CRITICAL] CVE-2021-35042: python-django - Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL i... Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2020-7471 [CRITICAL] CVE-2020-7471: python-django - Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL I... Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was

CVE-2020-24584 [HIGH] CVE-2020-24584: python-django - An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 ... An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077. Scope: local bookworm: resolved (fixed in 2:2.2.16-1) bullseye: resolved (fixed in 2:2.2.16-1) forky: resolved (fixed in 2:2.2.16-1

CVE-2020-24583 [HIGH] CVE-2020-24583: python-django - An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 ... An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic manag

CVE-2020-13596 [MEDIUM] CVE-2020-13596: python-django - An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query ... An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack. Scope: local bookworm: resolved (fixed in 2:2.2.13-1) bullseye: resolved (fixed in 2:2.2.13-1) forky: resolved (fixed in 2:2.2.13-1) sid: resol

CVE-2020-13254 [MEDIUM] CVE-2020-13254: python-django - An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cas... An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. Scope: local bookworm: resolved (fixed in 2:2.2.13-1) bullseye: resolved (fixed in 2:2.2.13-1) forky: resolved (fixed in 2:2.2.1

CVE-2020-9402 [HIGH] CVE-2020-9402: python-django - Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL I... Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL. Scope: local bookworm: resolved (fixed

CVE-2019-19844 [CRITICAL] CVE-2019-19844: python-django - Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account tak... Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send pas

CVE-2019-14234 [CRITICAL] CVE-2019-14234: python-django - An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, an... An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via craf

CVE-2019-14233 [HIGH] CVE-2019-14233: python-django - An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, an... An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. Scope: local bookworm: resolved (fixed in 2:2.2.4-1) bullseye: res

CVE-2019-14232 [HIGH] CVE-2019-14232: python-django - An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, an... An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are u

CVE-2019-14235 [HIGH] CVE-2019-14235: python-django - An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, an... An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. Scope: local bookworm: resolved (fixed in 2:2.2.4-1) bullseye: resolved (fixed in 2:2.2.

CVE-2019-3498 [MEDIUM] CVE-2019-3498: python-django - In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an... In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. Scope: local bookwo

CVE-2019-12308 [MEDIUM] CVE-2019-12308: python-django - An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2... An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickab

CVE-2019-19118 [MEDIUM] CVE-2019-19118: python-django - Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A... Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only

CVE-2019-12781 [MEDIUM] CVE-2019-12781: python-django - An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.... An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP. Scope: