Homepage

Django@4.2.27 vulnerabilities

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

  • latest version

    6.0.3

  • latest non vulnerable version

    6.0.3

  • first published

    15 years ago

  • latest version published

    16 days ago

  • licenses detected

  • View Django package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the Django package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Allocation of Resources Without Limits or Throttling

    Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the URLField.to_python() function when processing URLs containing certain Unicode characters on Windows systems. An attacker can cause excessive resource consumption and application unresponsiveness by submitting large URL inputs crafted with these characters.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade Django to version 4.2.29, 5.2.12, 6.0.3 or higher.

    [4.2a1,4.2.29)[5.2a1,5.2.12)[6.0a1,6.0.3)
    • L
    Race Condition

    Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

    Affected versions of this package are vulnerable to Race Condition in the file-system storage and file-based cache backends that use umask process in multi-threaded environments. An attacker can manipulate file system object permissions by making concurrent requests, potentially leading to unauthorized access or modification of files.

    How to fix Race Condition?

    Upgrade Django to version 4.2.29, 5.2.12, 6.0.3 or higher.

    [4.2a1,4.2.29)[5.2a1,5.2.12)[6.0a1,6.0.3)
    • M
    Inefficient Algorithmic Complexity

    Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

    Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the django.utils.text.Truncator.chars and Truncator.words methods (when html=True), as well as the truncatechars_html and truncatewords_html template filters, when processing crafted input containing a large number of unmatched HTML end tags. An attacker can cause excessive resource consumption by submitting such specially crafted input.

    How to fix Inefficient Algorithmic Complexity?

    Upgrade Django to version 4.2.28, 5.2.11, 6.0.2 or higher.

    [4.2a1,4.2.28)[5.2a1,5.2.11)[6.0a1,6.0.2)
    • C
    SQL Injection

    Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

    Affected versions of this package are vulnerable to SQL Injection via the FilteredRelation when control characters are used in column aliases through a crafted dictionary with dictionary expansion as the **kwargs argument to QuerySet methods such as annotate, aggregate, extra, values, values_list, and alias. An attacker can execute arbitrary SQL commands by supplying malicious input to these methods.

    How to fix SQL Injection?

    Upgrade Django to version 4.2.28, 5.2.11, 6.0.2 or higher.

    [4.2a1,4.2.28)[5.2a1,5.2.11)[6.0a1,6.0.2)
    • C
    SQL Injection

    Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

    Affected versions of this package are vulnerable to SQL Injection via the QuerySet.order_by and FilteredRelation when column aliases containing periods are used with a crafted dictionary and dictionary expansion. An attacker can execute arbitrary SQL commands by supplying specially crafted input to these components.

    How to fix SQL Injection?

    Upgrade Django to version 4.2.28, 5.2.11, 6.0.2 or higher.

    [4.2a1,4.2.28)[5.2a1,5.2.11)[6.0a1,6.0.2)
    • M
    Timing Attack

    Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

    Affected versions of this package are vulnerable to Timing Attack via the check_password function in the modwsgi.py file. An attacker can determine the existence of valid usernames by measuring response times during authentication attempts.

    How to fix Timing Attack?

    Upgrade Django to version 4.2.28, 5.2.11, 6.0.2 or higher.

    [4.2a1,4.2.28)[5.2a1,5.2.11)[6.0a1,6.0.2)
    • M
    Inefficient Algorithmic Complexity

    Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

    Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the repeated headers when using ASGI. An attacker can exhaust system resources by sending specially crafted requests containing multiple duplicate headers.

    How to fix Inefficient Algorithmic Complexity?

    Upgrade Django to version 4.2.28, 5.2.11, 6.0.2 or higher.

    [4.2a1,4.2.28)[5.2a1,5.2.11)[6.0a1,6.0.2)
    • H
    SQL Injection

    Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

    Affected versions of this package are vulnerable to SQL Injection via the band index parameter band_lhs in check_raster lookups when using PostGIS. An attacker can execute arbitrary SQL commands by supplying crafted input to this parameter.

    How to fix SQL Injection?

    Upgrade Django to version 4.2.28, 5.2.11, 6.0.2 or higher.

    [,4.2.28)[5.0a1,5.2.11)[6.0a1,6.0.2)
    Go back to all versions of this package