NotCVE - vendor:"Djangoproject" product:"Django" version:" >= 2.2

Page 2 of 30 results (0.008 seconds)

CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0

CVE-2021-45115 – django: Denial-of-service possibility in UserAttributeSimilarityValidator

https://notcve.org/view.php?id=CVE-2021-45115

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack. Se ha detectado un problema en Django versiones 2.2 anteriores a 2.2.26, 3.2 anteriores a 3.2.11 y 4.0 anteriores a 4.0.1. UserAttributeSimilarityValidator incurría en una sobrecarga significativa al evaluar una contraseña enviada que era artificialmente grande en relación con los valores de comparación. • https://docs.djangoproject.com/en/4.0/releases/security https://groups.google.com/forum/#%21forum/django-announce https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV https://security.netapp.com/advisory/ntap-20220121-0005 https://www.djangoproject.com/weblog/2022/jan/04/security-releases https://access.redhat.com/security/cve/CVE-2021-45115 https://bugzilla.redhat.com/show_bug.cgi?id=2037024 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0

CVE-2021-45116 – django: Potential information disclosure in dictsort template filter

https://notcve.org/view.php?id=CVE-2021-45116

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key. Se ha detectado un problema en Django versiones 2.2 anteriores a 2.2.26, 3.2 anteriores a 3.2.11 y 4.0 anteriores a 4.0.1. Debido al aprovechamiento de la lógica de resolución de variables del lenguaje de plantillas de Django, el filtro de plantillas dictsort era potencialmente vulnerable a una divulgación de información, o a una llamada de método no intencionada, si le es pasada una clave apropiadamente diseñada. An information-disclosure flaw was found in Django, where the dictsort filter in Django's Template Language did not correctly validate user input. • https://docs.djangoproject.com/en/4.0/releases/security https://groups.google.com/forum/#%21forum/django-announce https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV https://security.netapp.com/advisory/ntap-20220121-0005 https://www.djangoproject.com/weblog/2022/jan/04/security-releases https://access.redhat.com/security/cve/CVE-2021-45116 https://bugzilla.redhat.com/show_bug.cgi?id=2037025 • CWE-20: Improper Input Validation CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •

CVSS: 7.4EPSS: 0%CPEs: 4EXPL: 0

CVE-2021-45452 – django: Potential directory-traversal via Storage.save()

https://notcve.org/view.php?id=CVE-2021-45452

Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it. El archivo Storage.save en Django versiones 2.2 anteriores a 2.2.26, 3.2 anteriores a 3.2.11 y 4.0 anteriores a 4.0.1, permite un salto de directorio si le es pasado directamente nombres de archivos diseñados. A directory-traversal flaw was found in Django's Storage.save() method, where a network attacker could possibly traverse restricted paths using suitably crafted file names. • https://docs.djangoproject.com/en/4.0/releases/security https://groups.google.com/forum/#%21forum/django-announce https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV https://security.netapp.com/advisory/ntap-20220121-0005 https://www.djangoproject.com/weblog/2022/jan/04/security-releases https://access.redhat.com/security/cve/CVE-2021-45452 https://bugzilla.redhat.com/show_bug.cgi?id=2037028 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0

CVE-2021-44420 – django: potential bypass of an upstream access control based on URL paths

https://notcve.org/view.php?id=CVE-2021-44420

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. En Django versiones 2.2 anteriores a 2.2.25, versiones 3.1 anteriores a 3.1.14, y versiones 3.2 anteriores a 3.2.10, las peticiones HTTP para URLs con líneas nuevas al final podían omitir el control de acceso de la corriente principal basado en las rutas de las URLs • https://docs.djangoproject.com/en/3.2/releases/security https://groups.google.com/forum/#%21forum/django-announce https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV https://security.netapp.com/advisory/ntap-20211229-0006 https://www.djangoproject.com/weblog/2021/dec/07/security-releases https://www.openwall.com/lists/oss-security/2021/12/07/1 https://access.redhat.com/security/cve/CVE-2021-44420 https://bugzilla.redhat • CWE-290: Authentication Bypass by Spoofing •

CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0

CVE-2021-33571 – django: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses

https://notcve.org/view.php?id=CVE-2021-33571

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) . En Django versiones 2.2 anteriores a 2.2.24, versiones 3.x anteriores a 3.1.12 y versiones 3.2 anteriores a 3.2.4, las funciones URLValidator, validate_ipv4_address y validate_ipv46_address no prohíben los caracteres cero a la izquierda en los literales octales. Esto puede permitir una omisión del control de acceso basado en las direcciones IP. • https://docs.djangoproject.com/en/3.2/releases/security https://github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118e https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc https://groups.google.com/g/django-announce/c/sPyjSKMi8Eo https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV https://security.netapp.com/advisory/ntap-20210727-0004 https:/ • CWE-918: Server-Side Request Forgery (SSRF) •

1 2 3 4 5