zettatips / django-first-blog Goto Github PK
View Code? Open in Web Editor NEWTutorial from Django Girls
Tutorial from Django Girls
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
Publish Date: 2019-04-18
URL: CVE-2019-11324
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11324
Release Date: 2019-04-18
Fix Resolution: 1.24.2
Step up your Open Source Security Game with Mend here
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
Publish Date: 2020-03-05
URL: CVE-2020-9402
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9402
Release Date: 2020-03-05
Fix Resolution: 1.11.29,2.2.11,3.0.4
Step up your Open Source Security Game with Mend here
A non-validating SQL parser module for Python
Library home page: https://github.com/andialbrecht/sqlparse.git
Found in base branch: master
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit e75e358
. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit c457abd5f
. Users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2023-04-18
URL: CVE-2023-30608
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-rrm6-wvj7-cwh2
Release Date: 2023-04-18
Fix Resolution: sqlparse - 0.4.4
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.
Publish Date: 2019-08-02
URL: CVE-2019-14233
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14233
Release Date: 2019-08-02
Fix Resolution: 1.11.23,2.1.11,2.2.4
Step up your Open Source Security Game with Mend here
Python is a programming language that lets you work quickly and integrate systems more effectively.
Library home page: https://www.python.org/ftp/python/?wsslib=python
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
Publish Date: 2020-09-04
URL: CVE-2019-20916
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20916
Release Date: 2020-09-04
Fix Resolution: 19.2
Step up your Open Source Security Game with Mend here
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
Mend Note: After conducting further research, Mend has determined that all versions of Django before version 3.2.14 and before 4.0.6 are vulnerable to CVE-2022-34265.
Publish Date: 2022-07-04
URL: CVE-2022-34265
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
Release Date: 2022-07-04
Fix Resolution: Django - 3.2.14,4.0.6
Step up your Open Source Security Game with Mend here
Python is a programming language that lets you work quickly and integrate systems more effectively.
Library home page: https://www.python.org/ftp/python/?wsslib=python
Found in base branch: master
/venv/Lib/site-packages/pip-19.0.3-py3.7.egg/pip/_vendor/urllib3/util/retry.py
/venv/Lib/site-packages/pip-19.0.3-py3.7.egg/pip/_vendor/urllib3/util/retry.py
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie
HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie
header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
Publish Date: 2023-10-04
URL: CVE-2023-43804
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-43804
Release Date: 2023-10-04
Fix Resolution: urllib3 - 1.26.17,2.0.6
Step up your Open Source Security Game with Mend here
urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).
Publish Date: 2023-10-15
URL: CVE-2018-25091
Base Score Metrics:
Step up your Open Source Security Game with Mend here
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
Publish Date: 2020-06-03
URL: CVE-2020-13254
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2020/jun/03/security-releases/
Release Date: 2020-06-03
Fix Resolution: 3.0.7,2.2.13
Step up your Open Source Security Game with Mend here
Python is a programming language that lets you work quickly and integrate systems more effectively.
Library home page: https://www.python.org/ftp/python/?wsslib=python
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
Publish Date: 2019-03-13
URL: CVE-2019-9740
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740
Release Date: 2019-03-13
Fix Resolution: v2.7.17,v3.5.8,v3.6.9,3.7.4,3.7.5
Step up your Open Source Security Game with Mend here
Python is a programming language that lets you work quickly and integrate systems more effectively.
Library home page: https://www.python.org/ftp/python/?wsslib=python
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
/venv/Lib/site-packages/pip-19.0.3-py3.7.egg/pip/_vendor/urllib3/connection.py
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Publish Date: 2020-09-30
URL: CVE-2020-26137
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
Release Date: 2020-09-30
Fix Resolution: 1.25.9
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.
Publish Date: 2021-05-06
URL: CVE-2021-32052
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32052
Release Date: 2021-05-06
Fix Resolution: Django - 2.2.22,3.1.10,3.2.2
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.
Publish Date: 2022-01-05
URL: CVE-2021-45452
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/
Release Date: 2022-01-05
Fix Resolution: Django - 2.2.26,3.2.11,4.0.1
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.
Publish Date: 2019-08-02
URL: CVE-2019-14232
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232
Release Date: 2019-08-02
Fix Resolution: 1.11.23,2.1.11,2.2.4
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in base branch: master
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
Publish Date: 2022-04-12
URL: CVE-2022-28346
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-04-12
Fix Resolution: Django - 2.2.28,3.2.13,4.0.4
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.
Publish Date: 2022-01-05
URL: CVE-2021-45116
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/
Release Date: 2022-01-05
Fix Resolution: Django - 2.2.26,3.2.11,4.0.1
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.
Publish Date: 2021-06-08
URL: CVE-2021-33203
Base Score Metrics:
Type: Upgrade version
Origin: https://docs.djangoproject.com/en/3.2/releases/security/
Release Date: 2021-06-08
Fix Resolution: Django - 2.2.24, 3.1.12, 3.2.4
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.
Publish Date: 2019-08-02
URL: CVE-2019-14235
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14235
Release Date: 2019-08-02
Fix Resolution: 1.11.23,2.1.11,2.2.4
Step up your Open Source Security Game with Mend here
Python is a programming language that lets you work quickly and integrate systems more effectively.
Library home page: https://www.python.org/ftp/python/?wsslib=python
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
/venv/Lib/site-packages/pip-19.0.3-py3.7.egg/pip/_internal/vcs/mercurial.py
When installing a package from a Mercurial VCS URL (ie "pip install
hg+...") with pip prior to v23.3, the specified Mercurial revision could
be used to inject arbitrary configuration options to the "hg clone"
call (ie "--config"). Controlling the Mercurial configuration can modify
how and which repository is installed. This vulnerability does not
affect users who aren't installing from Mercurial.
Publish Date: 2023-10-25
URL: CVE-2023-5752
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-5752
Release Date: 2023-10-25
Fix Resolution: pip - 23.3
Step up your Open Source Security Game with Mend here
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
Publish Date: 2020-02-03
URL: CVE-2020-7471
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7471
Release Date: 2020-06-19
Fix Resolution: 1.11.28,2.2.10,3.0.3
Step up your Open Source Security Game with Mend here
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.
Publish Date: 2019-08-09
URL: CVE-2019-14234
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
Release Date: 2019-08-09
Fix Resolution: 2.2.4, 2.1.11, 1.11.23
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
/venv/Lib/site-packages/django/urls/resolvers.py
/venv/Lib/site-packages/django/urls/resolvers.py
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
Publish Date: 2021-12-08
URL: CVE-2021-44420
Base Score Metrics:
Type: Upgrade version
Origin: https://docs.djangoproject.com/en/3.2/releases/security/
Release Date: 2021-12-08
Fix Resolution: Django - 2.2.25,3.1.14,3.2.10
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
Publish Date: 2021-04-06
URL: CVE-2021-28658
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28658
Release Date: 2021-04-06
Fix Resolution: django-2.2.20, 3.0.14, 3.1.8, 3.2
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.
Publish Date: 2020-09-01
URL: CVE-2020-24584
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2020/sep/01/security-releases/
Release Date: 2020-09-01
Fix Resolution: 2.2.16,3.0.10,3.1.1
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)
Publish Date: 2019-12-02
URL: CVE-2019-19118
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19118
Release Date: 2019-12-02
Fix Resolution: 2.1.15,2.2.8
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
Publish Date: 2022-02-03
URL: CVE-2022-23833
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
Release Date: 2022-02-03
Fix Resolution: Django - 2.2.27,3.2.12,4.0.2
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
Publish Date: 2020-06-03
URL: CVE-2020-13596
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2020/jun/03/security-releases/
Release Date: 2020-06-03
Fix Resolution: 3.0.7,2.2.13
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
Publish Date: 2019-12-18
URL: CVE-2019-19844
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844
Release Date: 2019-12-18
Fix Resolution: 1.11.27;2.2.9;3.0.1
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.
Publish Date: 2020-09-01
URL: CVE-2020-24583
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2020/sep/01/security-releases/
Release Date: 2020-09-01
Fix Resolution: 2.2.16,3.0.10,3.1.1
Step up your Open Source Security Game with Mend here
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
Publish Date: 2022-04-12
URL: CVE-2022-28347
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28347
Release Date: 2022-04-12
Fix Resolution: Django - 2.2.28,3.2.13,4.0.4
Step up your Open Source Security Game with Mend here
Python is a programming language that lets you work quickly and integrate systems more effectively.
Library home page: https://www.python.org/ftp/python/?wsslib=python
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.
Publish Date: 2021-11-10
URL: CVE-2021-3572
Base Score Metrics:
Type: Upgrade version
Origin: https://security.archlinux.org/CVE-2021-3572
Release Date: 2021-11-10
Fix Resolution: pip - 21.1
Step up your Open Source Security Game with Mend here
Python is a programming language that lets you work quickly and integrate systems more effectively.
Library home page: https://www.python.org/ftp/python/?wsslib=python
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
/venv/Lib/site-packages/pip-19.0.3-py3.7.egg/pip/_vendor/urllib3/util/url.py
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
Publish Date: 2019-04-15
URL: CVE-2019-11236
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r64q-w8jr-g9qp
Release Date: 2019-04-15
Fix Resolution: urllib3 - 1.24.3
Step up your Open Source Security Game with Mend here
urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like POST
) to GET
as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with redirects=False
and disable automatic redirects with redirects=False
and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.
Publish Date: 2023-10-17
URL: CVE-2023-45803
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-g4mx-q9vg-27p4
Release Date: 2023-10-17
Fix Resolution: urllib3 - 1.26.18,2.0.7
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
Publish Date: 2022-02-03
URL: CVE-2022-22818
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
Release Date: 2022-02-03
Fix Resolution: Django - 2.2.27,3.2.12,4.0.2
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.
Publish Date: 2022-01-05
URL: CVE-2021-45115
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/
Release Date: 2022-01-05
Fix Resolution: Django - 2.2.26,3.2.11,4.0.1
Step up your Open Source Security Game with Mend here
A non-validating SQL parser module for Python
Library home page: https://github.com/andialbrecht/sqlparse.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
StripComments filter contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)
The formatter function that strips comments from a SQL contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments.
Publish Date: 2021-09-10
URL: WS-2021-0369
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-p5w8-wqhj-9hhf
Release Date: 2021-09-10
Fix Resolution: sqlparse - 0.4.2
Step up your Open Source Security Game with Mend here
Python is a programming language that lets you work quickly and integrate systems more effectively.
Library home page: https://www.python.org/ftp/python/?wsslib=python
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
/venv/Lib/site-packages/pip-19.0.3-py3.7.egg/pip/_vendor/urllib3/util/url.py
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Publish Date: 2021-06-29
URL: CVE-2021-33503
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q2q7-5pp4-w6pg
Release Date: 2021-06-29
Fix Resolution: urllib3 - 1.26.5
Step up your Open Source Security Game with Mend here
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
Publish Date: 2021-05-05
URL: CVE-2021-31542
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2021/may/04/security-releases/
Release Date: 2021-05-05
Fix Resolution: Django - 2.2.21,3.1.9,3.2.1
Step up your Open Source Security Game with Mend here
The Web framework for perfectionists with deadlines.
Library home page: https://github.com/django/django.git
Found in HEAD commit: 63fab47586aa018db6d1d4296fbab721644c2951
Found in base branch: master
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .
Publish Date: 2021-06-08
URL: CVE-2021-33571
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
Release Date: 2021-06-08
Fix Resolution: Django - 2.2.24, 3.1.12, 3.2.4
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.