csaf_opensuse - opensuse-su-2025:14662-1

opensuse-su-2025:14662-1

Vulnerability from csaf_opensuse

Published

2025-01-17 00:00

Modified

2025-01-17 00:00

Summary

python311-Django-5.1.5-1.1 on GA media

Notes

Title of the patch

python311-Django-5.1.5-1.1 on GA media

Description of the patch

These are all security issues fixed in the python311-Django-5.1.5-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-14662

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python311-Django-5.1.5-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python311-Django-5.1.5-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-14662",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14662-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-45115 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-45115/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-45452 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-45452/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-22818 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-22818/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23833 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23833/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-28346 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-28346/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-28347 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-28347/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-34265 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-34265/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-36359 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-36359/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-41323 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-41323/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-23969 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-23969/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-24580 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-24580/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-56374 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-56374/"
      }
    ],
    "title": "python311-Django-5.1.5-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-01-17T00:00:00Z",
      "generator": {
        "date": "2025-01-17T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:14662-1",
      "initial_release_date": "2025-01-17T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-01-17T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-Django-5.1.5-1.1.aarch64",
                "product": {
                  "name": "python311-Django-5.1.5-1.1.aarch64",
                  "product_id": "python311-Django-5.1.5-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-Django-5.1.5-1.1.aarch64",
                "product": {
                  "name": "python312-Django-5.1.5-1.1.aarch64",
                  "product_id": "python312-Django-5.1.5-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-Django-5.1.5-1.1.aarch64",
                "product": {
                  "name": "python313-Django-5.1.5-1.1.aarch64",
                  "product_id": "python313-Django-5.1.5-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-Django-5.1.5-1.1.ppc64le",
                "product": {
                  "name": "python311-Django-5.1.5-1.1.ppc64le",
                  "product_id": "python311-Django-5.1.5-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python312-Django-5.1.5-1.1.ppc64le",
                "product": {
                  "name": "python312-Django-5.1.5-1.1.ppc64le",
                  "product_id": "python312-Django-5.1.5-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-Django-5.1.5-1.1.ppc64le",
                "product": {
                  "name": "python313-Django-5.1.5-1.1.ppc64le",
                  "product_id": "python313-Django-5.1.5-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-Django-5.1.5-1.1.s390x",
                "product": {
                  "name": "python311-Django-5.1.5-1.1.s390x",
                  "product_id": "python311-Django-5.1.5-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python312-Django-5.1.5-1.1.s390x",
                "product": {
                  "name": "python312-Django-5.1.5-1.1.s390x",
                  "product_id": "python312-Django-5.1.5-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-Django-5.1.5-1.1.s390x",
                "product": {
                  "name": "python313-Django-5.1.5-1.1.s390x",
                  "product_id": "python313-Django-5.1.5-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-Django-5.1.5-1.1.x86_64",
                "product": {
                  "name": "python311-Django-5.1.5-1.1.x86_64",
                  "product_id": "python311-Django-5.1.5-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-Django-5.1.5-1.1.x86_64",
                "product": {
                  "name": "python312-Django-5.1.5-1.1.x86_64",
                  "product_id": "python312-Django-5.1.5-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-Django-5.1.5-1.1.x86_64",
                "product": {
                  "name": "python313-Django-5.1.5-1.1.x86_64",
                  "product_id": "python313-Django-5.1.5-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-Django-5.1.5-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64"
        },
        "product_reference": "python311-Django-5.1.5-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-Django-5.1.5-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le"
        },
        "product_reference": "python311-Django-5.1.5-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-Django-5.1.5-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x"
        },
        "product_reference": "python311-Django-5.1.5-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-Django-5.1.5-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64"
        },
        "product_reference": "python311-Django-5.1.5-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-Django-5.1.5-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64"
        },
        "product_reference": "python312-Django-5.1.5-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-Django-5.1.5-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le"
        },
        "product_reference": "python312-Django-5.1.5-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-Django-5.1.5-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x"
        },
        "product_reference": "python312-Django-5.1.5-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-Django-5.1.5-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64"
        },
        "product_reference": "python312-Django-5.1.5-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Django-5.1.5-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64"
        },
        "product_reference": "python313-Django-5.1.5-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Django-5.1.5-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le"
        },
        "product_reference": "python313-Django-5.1.5-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Django-5.1.5-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x"
        },
        "product_reference": "python313-Django-5.1.5-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Django-5.1.5-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
        },
        "product_reference": "python313-Django-5.1.5-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-45115",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-45115"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-45115",
          "url": "https://www.suse.com/security/cve/CVE-2021-45115"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1194115 for CVE-2021-45115",
          "url": "https://bugzilla.suse.com/1194115"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1194117 for CVE-2021-45115",
          "url": "https://bugzilla.suse.com/1194117"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-17T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-45115"
    },
    {
      "cve": "CVE-2021-45452",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-45452"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-45452",
          "url": "https://www.suse.com/security/cve/CVE-2021-45452"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1194116 for CVE-2021-45452",
          "url": "https://bugzilla.suse.com/1194116"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-17T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2021-45452"
    },
    {
      "cve": "CVE-2022-22818",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-22818"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-22818",
          "url": "https://www.suse.com/security/cve/CVE-2022-22818"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1195086 for CVE-2022-22818",
          "url": "https://bugzilla.suse.com/1195086"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-17T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-22818"
    },
    {
      "cve": "CVE-2022-23833",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23833"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23833",
          "url": "https://www.suse.com/security/cve/CVE-2022-23833"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1195088 for CVE-2022-23833",
          "url": "https://bugzilla.suse.com/1195088"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-17T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-23833"
    },
    {
      "cve": "CVE-2022-28346",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-28346"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-28346",
          "url": "https://www.suse.com/security/cve/CVE-2022-28346"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1198398 for CVE-2022-28346",
          "url": "https://bugzilla.suse.com/1198398"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-17T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-28346"
    },
    {
      "cve": "CVE-2022-28347",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-28347"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-28347",
          "url": "https://www.suse.com/security/cve/CVE-2022-28347"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1198399 for CVE-2022-28347",
          "url": "https://bugzilla.suse.com/1198399"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-17T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-28347"
    },
    {
      "cve": "CVE-2022-34265",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-34265"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-34265",
          "url": "https://www.suse.com/security/cve/CVE-2022-34265"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1201186 for CVE-2022-34265",
          "url": "https://bugzilla.suse.com/1201186"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-17T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-34265"
    },
    {
      "cve": "CVE-2022-36359",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-36359"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-36359",
          "url": "https://www.suse.com/security/cve/CVE-2022-36359"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1201923 for CVE-2022-36359",
          "url": "https://bugzilla.suse.com/1201923"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-17T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-36359"
    },
    {
      "cve": "CVE-2022-41323",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-41323"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-41323",
          "url": "https://www.suse.com/security/cve/CVE-2022-41323"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1203793 for CVE-2022-41323",
          "url": "https://bugzilla.suse.com/1203793"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-17T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-41323"
    },
    {
      "cve": "CVE-2023-23969",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-23969"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-23969",
          "url": "https://www.suse.com/security/cve/CVE-2023-23969"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1207565 for CVE-2023-23969",
          "url": "https://bugzilla.suse.com/1207565"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-17T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-23969"
    },
    {
      "cve": "CVE-2023-24580",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-24580"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-24580",
          "url": "https://www.suse.com/security/cve/CVE-2023-24580"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1208082 for CVE-2023-24580",
          "url": "https://bugzilla.suse.com/1208082"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-17T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-24580"
    },
    {
      "cve": "CVE-2024-56374",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-56374"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-56374",
          "url": "https://www.suse.com/security/cve/CVE-2024-56374"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1235856 for CVE-2024-56374",
          "url": "https://bugzilla.suse.com/1235856"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django-5.1.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django-5.1.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-17T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-56374"
    }
  ]
}

CVE-2024-56374 (GCVE-0-2024-56374)

Vulnerability from cvelistv5

Published

2025-01-14 00:00

Modified

2025-02-12 20:31

Severity ?

5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Summary

An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)

References

►

URL

Tags

	https://docs.djangoproject.com/en/dev/releases/security/
	https://groups.google.com/g/django-announce
	https://www.djangoproject.com/weblog/2025/jan/14/security-releases/

Impacted products

	Vendor	Product	Version
	djangoproject	Django	Version: 4.2 < 4.2.18 Version: 5.0 < 5.0.11 Version: 5.1 < 5.1.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-01-23T18:03:28.376Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/01/14/2"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00024.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-56374",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-15T19:40:35.398718Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T20:31:20.698Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Django",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "4.2.18",
              "status": "affected",
              "version": "4.2",
              "versionType": "custom"
            },
            {
              "lessThan": "5.0.11",
              "status": "affected",
              "version": "5.0",
              "versionType": "custom"
            },
            {
              "lessThan": "5.1.5",
              "status": "affected",
              "version": "5.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.2.18",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.0.11",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.1.5",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-14T19:07:03.855Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2025/jan/14/security-releases/"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-56374",
    "datePublished": "2025-01-14T00:00:00.000Z",
    "dateReserved": "2024-12-22T00:00:00.000Z",
    "dateUpdated": "2025-02-12T20:31:20.698Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-22818 (GCVE-0-2022-22818)

Vulnerability from cvelistv5

Published

2022-02-03 00:00

Modified

2024-08-03 03:21

Severity ?

CWE

Summary

The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.

References

►

URL

Tags

	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.0/releases/security/
	https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/	vendor-advisory
	https://security.netapp.com/advisory/ntap-20220221-0003/
	https://www.debian.org/security/2022/dsa-5254	vendor-advisory

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:21:49.173Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"
          },
          {
            "name": "FEDORA-2022-e7fd530688",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220221-0003/"
          },
          {
            "name": "DSA-5254",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5254"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-15T00:00:00",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"
        },
        {
          "name": "FEDORA-2022-e7fd530688",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220221-0003/"
        },
        {
          "name": "DSA-5254",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5254"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-22818",
    "datePublished": "2022-02-03T00:00:00",
    "dateReserved": "2022-01-07T00:00:00",
    "dateUpdated": "2024-08-03T03:21:49.173Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-28347 (GCVE-0-2022-28347)

Vulnerability from cvelistv5

Published

2022-04-12 00:00

Modified

2025-02-13 16:32

Severity ?

CWE

Summary

A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.

References

►

URL

Tags

	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.0/releases/security/
	http://www.openwall.com/lists/oss-security/2022/04/11/1
	https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
	https://www.debian.org/security/2022/dsa-5254	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/	vendor-advisory

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:56:14.933Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/04/11/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/apr/11/security-releases/"
          },
          {
            "name": "DSA-5254",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5254"
          },
          {
            "name": "FEDORA-2023-8fed428c5e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
          },
          {
            "name": "FEDORA-2023-a53ab7c969",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-28T03:06:22.672Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2022/04/11/1"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2022/apr/11/security-releases/"
        },
        {
          "name": "DSA-5254",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5254"
        },
        {
          "name": "FEDORA-2023-8fed428c5e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
        },
        {
          "name": "FEDORA-2023-a53ab7c969",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-28347",
    "datePublished": "2022-04-12T00:00:00.000Z",
    "dateReserved": "2022-04-02T00:00:00.000Z",
    "dateUpdated": "2025-02-13T16:32:34.174Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-28346 (GCVE-0-2022-28346)

Vulnerability from cvelistv5

Published

2022-04-12 00:00

Modified

2025-02-13 16:32

Severity ?

CWE

Summary

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.

References

►

URL

Tags

	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.0/releases/security/
	http://www.openwall.com/lists/oss-security/2022/04/11/1
	https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
	https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html	mailing-list
	https://security.netapp.com/advisory/ntap-20220609-0002/
	https://www.debian.org/security/2022/dsa-5254	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/	vendor-advisory

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:56:14.796Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/04/11/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/apr/11/security-releases/"
          },
          {
            "name": "[debian-lts-announce] 20220414 [SECURITY] [DLA 2982-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220609-0002/"
          },
          {
            "name": "DSA-5254",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5254"
          },
          {
            "name": "FEDORA-2023-8fed428c5e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
          },
          {
            "name": "FEDORA-2023-a53ab7c969",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-28T03:06:20.960Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2022/04/11/1"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2022/apr/11/security-releases/"
        },
        {
          "name": "[debian-lts-announce] 20220414 [SECURITY] [DLA 2982-1] python-django security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220609-0002/"
        },
        {
          "name": "DSA-5254",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5254"
        },
        {
          "name": "FEDORA-2023-8fed428c5e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
        },
        {
          "name": "FEDORA-2023-a53ab7c969",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-28346",
    "datePublished": "2022-04-12T00:00:00.000Z",
    "dateReserved": "2022-04-02T00:00:00.000Z",
    "dateUpdated": "2025-02-13T16:32:33.638Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-45452 (GCVE-0-2021-45452)

Vulnerability from cvelistv5

Published

2022-01-04 23:09

Modified

2024-08-04 04:39

Severity ?

CWE

Summary

Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.

References

►

URL

Tags

	https://groups.google.com/forum/#%21forum/django-announce	x_refsource_MISC
	https://docs.djangoproject.com/en/4.0/releases/security/	x_refsource_MISC
	https://www.djangoproject.com/weblog/2022/jan/04/security-releases/	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-20220121-0005/	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/	vendor-advisory, x_refsource_FEDORA

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:39:21.126Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"
          },
          {
            "name": "FEDORA-2022-e7fd530688",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-11T02:06:30",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"
        },
        {
          "name": "FEDORA-2022-e7fd530688",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-45452",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/forum/#!forum/django-announce",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!forum/django-announce"
            },
            {
              "name": "https://docs.djangoproject.com/en/4.0/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220121-0005/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"
            },
            {
              "name": "FEDORA-2022-e7fd530688",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-45452",
    "datePublished": "2022-01-04T23:09:40",
    "dateReserved": "2021-12-21T00:00:00",
    "dateUpdated": "2024-08-04T04:39:21.126Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-24580 (GCVE-0-2023-24580)

Vulnerability from cvelistv5

Published

2023-02-15 00:00

Modified

2025-03-18 19:24

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

Summary

An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.

References

►

URL

Tags

	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.1/releases/security/
	http://www.openwall.com/lists/oss-security/2023/02/14/1
	https://www.djangoproject.com/weblog/2023/feb/14/security-releases/
	https://lists.debian.org/debian-lts-announce/2023/02/msg00023.html	mailing-list
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/	vendor-advisory
	https://security.netapp.com/advisory/ntap-20230316-0006/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/	vendor-advisory

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:03:18.895Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.1/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/02/14/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2023/feb/14/security-releases/"
          },
          {
            "name": "[debian-lts-announce] 20230220 [SECURITY] [DLA 3329-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00023.html"
          },
          {
            "name": "FEDORA-2023-3d775d93be",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/"
          },
          {
            "name": "FEDORA-2023-bde7913e5a",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/"
          },
          {
            "name": "FEDORA-2023-a74513bda8",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230316-0006/"
          },
          {
            "name": "FEDORA-2023-8fed428c5e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
          },
          {
            "name": "FEDORA-2023-a53ab7c969",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-24580",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-18T19:24:08.191089Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-400",
                "description": "CWE-400 Uncontrolled Resource Consumption",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-18T19:24:32.509Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-28T03:06:17.641Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.1/releases/security/"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2023/02/14/1"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2023/feb/14/security-releases/"
        },
        {
          "name": "[debian-lts-announce] 20230220 [SECURITY] [DLA 3329-1] python-django security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00023.html"
        },
        {
          "name": "FEDORA-2023-3d775d93be",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/"
        },
        {
          "name": "FEDORA-2023-bde7913e5a",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/"
        },
        {
          "name": "FEDORA-2023-a74513bda8",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230316-0006/"
        },
        {
          "name": "FEDORA-2023-8fed428c5e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
        },
        {
          "name": "FEDORA-2023-a53ab7c969",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-24580",
    "datePublished": "2023-02-15T00:00:00.000Z",
    "dateReserved": "2023-01-27T00:00:00.000Z",
    "dateUpdated": "2025-03-18T19:24:32.509Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-45115 (GCVE-0-2021-45115)

Vulnerability from cvelistv5

Published

2022-01-04 23:16

Modified

2024-08-04 04:39

Severity ?

CWE

Summary

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.

References

►

URL

Tags

	https://groups.google.com/forum/#%21forum/django-announce	x_refsource_MISC
	https://docs.djangoproject.com/en/4.0/releases/security/	x_refsource_MISC
	https://www.djangoproject.com/weblog/2022/jan/04/security-releases/	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-20220121-0005/	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/	vendor-advisory, x_refsource_FEDORA

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:39:20.303Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"
          },
          {
            "name": "FEDORA-2022-e7fd530688",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-11T02:06:36",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"
        },
        {
          "name": "FEDORA-2022-e7fd530688",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-45115",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/forum/#!forum/django-announce",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!forum/django-announce"
            },
            {
              "name": "https://docs.djangoproject.com/en/4.0/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220121-0005/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220121-0005/"
            },
            {
              "name": "FEDORA-2022-e7fd530688",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-45115",
    "datePublished": "2022-01-04T23:16:00",
    "dateReserved": "2021-12-16T00:00:00",
    "dateUpdated": "2024-08-04T04:39:20.303Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-36359 (GCVE-0-2022-36359)

Vulnerability from cvelistv5

Published

2022-08-03 00:00

Modified

2025-02-13 16:32

Severity ?

CWE

Summary

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

References

►

URL

Tags

	https://docs.djangoproject.com/en/4.0/releases/security/
	http://www.openwall.com/lists/oss-security/2022/08/03/1	mailing-list
	https://groups.google.com/g/django-announce/c/8cz--gvaJr4
	https://www.djangoproject.com/weblog/2022/aug/03/security-releases/
	https://security.netapp.com/advisory/ntap-20220915-0008/
	https://www.debian.org/security/2022/dsa-5254	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/	vendor-advisory

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T10:00:04.235Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "name": "[oss-security] 20220803 Django: CVE-2022-36359: Potential reflected file download vulnerability in FileResponse.",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/08/03/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/django-announce/c/8cz--gvaJr4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/aug/03/security-releases/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220915-0008/"
          },
          {
            "name": "DSA-5254",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5254"
          },
          {
            "name": "FEDORA-2023-8fed428c5e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
          },
          {
            "name": "FEDORA-2023-a53ab7c969",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-28T03:06:19.367Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "name": "[oss-security] 20220803 Django: CVE-2022-36359: Potential reflected file download vulnerability in FileResponse.",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/08/03/1"
        },
        {
          "url": "https://groups.google.com/g/django-announce/c/8cz--gvaJr4"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2022/aug/03/security-releases/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220915-0008/"
        },
        {
          "name": "DSA-5254",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5254"
        },
        {
          "name": "FEDORA-2023-8fed428c5e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
        },
        {
          "name": "FEDORA-2023-a53ab7c969",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-36359",
    "datePublished": "2022-08-03T00:00:00.000Z",
    "dateReserved": "2022-07-21T00:00:00.000Z",
    "dateUpdated": "2025-02-13T16:32:48.215Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-23969 (GCVE-0-2023-23969)

Vulnerability from cvelistv5

Published

2023-02-01 00:00

Modified

2025-03-27 14:17

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

Summary

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.

References

►

URL

Tags

	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.1/releases/security/
	https://www.djangoproject.com/weblog/2023/feb/01/security-releases/
	https://lists.debian.org/debian-lts-announce/2023/02/msg00000.html	mailing-list
	https://security.netapp.com/advisory/ntap-20230302-0007/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/	vendor-advisory

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:49:08.226Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.1/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2023/feb/01/security-releases/"
          },
          {
            "name": "[debian-lts-announce] 20230201 [SECURITY] [DLA 3306-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00000.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230302-0007/"
          },
          {
            "name": "FEDORA-2023-8fed428c5e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
          },
          {
            "name": "FEDORA-2023-a53ab7c969",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-23969",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-27T14:17:12.981645Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-27T14:17:49.400Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-28T03:06:12.957Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.1/releases/security/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2023/feb/01/security-releases/"
        },
        {
          "name": "[debian-lts-announce] 20230201 [SECURITY] [DLA 3306-1] python-django security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00000.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230302-0007/"
        },
        {
          "name": "FEDORA-2023-8fed428c5e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
        },
        {
          "name": "FEDORA-2023-a53ab7c969",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-23969",
    "datePublished": "2023-02-01T00:00:00.000Z",
    "dateReserved": "2023-01-20T00:00:00.000Z",
    "dateUpdated": "2025-03-27T14:17:49.400Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-23833 (GCVE-0-2022-23833)

Vulnerability from cvelistv5

Published

2022-02-03 00:00

Modified

2024-08-03 03:51

Severity ?

CWE

Summary

An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

References

►

URL

Tags

	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.0/releases/security/
	https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/	vendor-advisory
	https://security.netapp.com/advisory/ntap-20220221-0003/
	https://www.debian.org/security/2022/dsa-5254	vendor-advisory
	https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a
	https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468
	https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:51:46.008Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"
          },
          {
            "name": "FEDORA-2022-e7fd530688",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220221-0003/"
          },
          {
            "name": "DSA-5254",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5254"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-22T23:04:35.819653",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"
        },
        {
          "name": "FEDORA-2022-e7fd530688",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220221-0003/"
        },
        {
          "name": "DSA-5254",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5254"
        },
        {
          "url": "https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a"
        },
        {
          "url": "https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468"
        },
        {
          "url": "https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-23833",
    "datePublished": "2022-02-03T00:00:00",
    "dateReserved": "2022-01-21T00:00:00",
    "dateUpdated": "2024-08-03T03:51:46.008Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-41323 (GCVE-0-2022-41323)

Vulnerability from cvelistv5

Published

2022-10-16 00:00

Modified

2025-05-14 14:39

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

Summary

In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.

References

►

URL

Tags

	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.0/releases/security/
	https://www.djangoproject.com/weblog/2022/oct/04/security-releases/
	https://github.com/django/django/commit/5b6b257fa7ec37ff27965358800c67e2dd11c924
	https://security.netapp.com/advisory/ntap-20221124-0001/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/	vendor-advisory

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:42:45.749Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/oct/04/security-releases/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/5b6b257fa7ec37ff27965358800c67e2dd11c924"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20221124-0001/"
          },
          {
            "name": "FEDORA-2023-3d775d93be",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/"
          },
          {
            "name": "FEDORA-2023-bde7913e5a",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/"
          },
          {
            "name": "FEDORA-2023-a74513bda8",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/"
          },
          {
            "name": "FEDORA-2023-8fed428c5e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
          },
          {
            "name": "FEDORA-2023-a53ab7c969",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-41323",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-14T14:39:15.570204Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1333",
                "description": "CWE-1333 Inefficient Regular Expression Complexity",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-14T14:39:38.619Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-28T03:06:15.950Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2022/oct/04/security-releases/"
        },
        {
          "url": "https://github.com/django/django/commit/5b6b257fa7ec37ff27965358800c67e2dd11c924"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20221124-0001/"
        },
        {
          "name": "FEDORA-2023-3d775d93be",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/"
        },
        {
          "name": "FEDORA-2023-bde7913e5a",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/"
        },
        {
          "name": "FEDORA-2023-a74513bda8",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/"
        },
        {
          "name": "FEDORA-2023-8fed428c5e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
        },
        {
          "name": "FEDORA-2023-a53ab7c969",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-41323",
    "datePublished": "2022-10-16T00:00:00.000Z",
    "dateReserved": "2022-09-23T00:00:00.000Z",
    "dateUpdated": "2025-05-14T14:39:38.619Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-34265 (GCVE-0-2022-34265)

Vulnerability from cvelistv5

Published

2022-07-04 00:00

Modified

2025-02-13 16:32

Severity ?

CWE

Summary

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

References

►

URL

Tags

	https://groups.google.com/forum/#%21forum/django-announce
	https://docs.djangoproject.com/en/4.0/releases/security/
	https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
	https://security.netapp.com/advisory/ntap-20220818-0006/
	https://www.debian.org/security/2022/dsa-5254	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/	vendor-advisory

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T09:07:16.138Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/django-announce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2022/jul/04/security-releases/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220818-0006/"
          },
          {
            "name": "DSA-5254",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5254"
          },
          {
            "name": "FEDORA-2023-8fed428c5e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
          },
          {
            "name": "FEDORA-2023-a53ab7c969",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-28T03:06:14.431Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://groups.google.com/forum/#%21forum/django-announce"
        },
        {
          "url": "https://docs.djangoproject.com/en/4.0/releases/security/"
        },
        {
          "url": "https://www.djangoproject.com/weblog/2022/jul/04/security-releases/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220818-0006/"
        },
        {
          "name": "DSA-5254",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5254"
        },
        {
          "name": "FEDORA-2023-8fed428c5e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/"
        },
        {
          "name": "FEDORA-2023-a53ab7c969",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-34265",
    "datePublished": "2022-07-04T00:00:00.000Z",
    "dateReserved": "2022-06-21T00:00:00.000Z",
    "dateUpdated": "2025-02-13T16:32:45.198Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

opensuse-su-2025:14662-1

Vulnerability from csaf_opensuse

CVE-2024-56374 (GCVE-0-2024-56374)

Vulnerability from cvelistv5

CVE-2022-22818 (GCVE-0-2022-22818)

Vulnerability from cvelistv5

CVE-2022-28347 (GCVE-0-2022-28347)

Vulnerability from cvelistv5

CVE-2022-28346 (GCVE-0-2022-28346)

Vulnerability from cvelistv5

CVE-2021-45452 (GCVE-0-2021-45452)

Vulnerability from cvelistv5

CVE-2023-24580 (GCVE-0-2023-24580)

Vulnerability from cvelistv5

CVE-2021-45115 (GCVE-0-2021-45115)

Vulnerability from cvelistv5

CVE-2022-36359 (GCVE-0-2022-36359)

Vulnerability from cvelistv5

CVE-2023-23969 (GCVE-0-2023-23969)

Vulnerability from cvelistv5

CVE-2022-23833 (GCVE-0-2022-23833)

Vulnerability from cvelistv5

CVE-2022-41323 (GCVE-0-2022-41323)

Vulnerability from cvelistv5

CVE-2022-34265 (GCVE-0-2022-34265)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature