Homepage
About Snyk

Django@5.0rc1 vulnerabilities

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the Django package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) due to not accounting for very large inputs involving intermediate ;s, in the django.utils.html.urlize() and django.utils.html.urlizetrunc() template filter functions.

How to fix Denial of Service (DoS)?

Upgrade django to version 4.2.16, 5.0.9, 5.1.1 or higher.

[,4.2.16) [5.0a1,5.0.9) [5.1a1,5.1.1)
  • M
Improper Check for Unusual or Exceptional Conditions

Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions due to unhandled email sending failures in the django.contrib.auth.forms.PasswordResetForm class. This allows attackers to enumerate user email addresses by brute forcing password reset requests and observing the outcomes.

How to fix Improper Check for Unusual or Exceptional Conditions?

Upgrade django to version 4.2.16, 5.0.9, 5.1.1 or higher.

[,4.2.16) [5.0a1,5.0.9) [5.1a1,5.1.1)
  • M
Timing Attack

Affected versions of this package are vulnerable to Timing Attack via the django.contrib.auth.backends.ModelBackend.authenticate() method. This allows remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords.

How to fix Timing Attack?

Upgrade django to version 4.2.14, 5.0.7 or higher.

[,4.2.14) [5.0a1,5.0.7)
  • M
Directory Traversal

Affected versions of this package are vulnerable to Directory Traversal via the derived classes of the django.core.files.storage.Storage base class which override generate_filename() without replicating the file path validations existing in the parent class. This allows potential access to out of scope data via certain inputs when calling save() method.

Note: Built-in Storage sub-classes were not affected by this vulnerability.

How to fix Directory Traversal?

Upgrade django to version 4.2.14, 5.0.7 or higher.

[,4.2.14) [5.0a1,5.0.7)
  • M
Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) in django.utils.translation.get_supported_language_variant() function due to improper user input validation. An attacker can exploit this vulnerability by using very long strings containing specific characters. Exploiting this vulnerability could lead to a system crash.

How to fix Denial of Service (DoS)?

Upgrade django to version 4.2.14, 5.0.7 or higher.

[,4.2.14) [5.0a1,5.0.7)
  • M
Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) via the in django.utils.html.urlize() and django.utils.html.urlizetrunc() functions. If certain inputs with a very large number of brackets are provided, this could lead to a system crash.

How to fix Denial of Service (DoS)?

Upgrade django to version 4.2.14, 5.0.7 or higher.

[,4.2.14) [5.0a1,5.0.7)
  • M
Regular Expression Denial of Service (ReDoS)

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in django.utils.text.Truncator.words(), whose performance can be degraded when processing a malicious input involving repeated < characters.

Note:

The function is only vulnerable when html=True is set and the truncatewords_html template filter is in use.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade django to version 3.2.25, 4.2.11, 5.0.3 or higher.

[,3.2.25) [4.0a1,4.2.11) [5.0a1,5.0.3)
Go back to all versions of this package