django@2.2 vulnerabilities

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Direct Vulnerabilities

Known vulnerabilities in the django package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Regular Expression Denial of Service (ReDoS)

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in django.utils.text.Truncator.words(), whose performance can be degraded when processing a malicious input involving repeated < characters.

Note:

The function is only vulnerable when html=True is set and the truncatewords_html template filter is in use.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade django to version 3.2.25, 4.2.11, 5.0.3 or higher.

[,3.2.25) [4.0a1,4.2.11) [5.0a1,5.0.3)
  • M
Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) via the NFKC normalization function in django.contrib.auth.forms.UsernameField. A potential attack can be executed via certain inputs with a very large number of Unicode characters.

Note: This vulnerability is only exploitable on Windows systems.

How to fix Denial of Service (DoS)?

Upgrade django to version 3.2.23, 4.1.13, 4.2.7 or higher.

[,3.2.23) [4.0a1,4.1.13) [4.2a1,4.2.7)
  • M
Regular Expression Denial of Service (ReDoS)

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the chars() and words() methods in the django.utils.text.Truncator function. An attacker can cause a denial of service by exploiting the inefficient regular expression complexity, which exhibits linear backtracking complexity and can be slow, given certain long and potentially malformed HTML inputs.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade django to version 3.2.22, 4.1.12, 4.2.6 or higher.

[,3.2.22) [4.0,4.1.12) [4.2,4.2.6)
  • H
Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) in the django.utils.encoding.uri_to_iri() function when processing inputs with a large number of Unicode characters.

How to fix Denial of Service (DoS)?

Upgrade django to version 3.2.21, 4.1.11, 4.2.5 or higher.

[,3.2.21) [4.0a1,4.1.11) [4.2a1,4.2.5)
  • H
Regular Expression Denial of Service (ReDoS)

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the EmailValidator and URLValidator classes, when processing a very large number of domain name labels on emails or URLs.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade django to version 3.2.20, 4.1.10, 4.2.3 or higher.

[,3.2.20) [4.0a1,4.1.10) [4.2a1,4.2.3)
  • M
Arbitrary File Upload

Affected versions of this package are vulnerable to Arbitrary File Upload by bypassing of validation of all but the last file when uploading multiple files using a single forms.FileField or forms.ImageField.

How to fix Arbitrary File Upload?

Upgrade django to version 3.2.19, 4.1.9, 4.2.1 or higher.

[,3.2.19) [4.1a1,4.1.9) [4.2a1,4.2.1)
  • H
Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) when parsing multipart form data in http/multipartparser.py. An attacker can trigger the opening of a large number of uploaded files which are not subsequently closed, consuming memory or filehandling resources.

How to fix Denial of Service (DoS)?

Upgrade django to version 3.2.18, 4.0.10, 4.1.7 or higher.

[,3.2.18) [4.0a1,4.0.10) [4.1a1,4.1.7)
  • H
Reflected File Download (RFD)

Affected versions of this package are vulnerable to Reflected File Download (RFD) as it is possible to set the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

How to fix Reflected File Download (RFD)?

Upgrade django to version 3.2.15, 4.0.7, 4.1 or higher.

[,3.2.15) [4.0a1,4.0.7) [4.1rc1,4.1)
  • C
SQL Injection

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to SQL Injection via the Trunc(kind) and Extract(lookup_name) arguments, if untrusted data is used as a kind/lookup_name value.

Note: Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

Django 4.1 pre-released versions (4.1a1, 4.1a2) are affected by this issue, please avoid using the 4.1 branch until 4.1.0 is released.

How to fix SQL Injection?

Upgrade Django to version 3.2.14, 4.0.6 or higher.

[,3.2.14) [4.0a1,4.0.6)
  • C
SQL Injection

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to SQL Injection via QuerySet.explain(**options) in option names, using a suitably crafted dictionary, with dictionary expansion, as the **options argument on PostgreSQL.

How to fix SQL Injection?

Upgrade Django to version 2.2.28, 3.2.13, 4.0.4 or higher.

[,2.2.28) [3.0,3.2.13) [4.0,4.0.4)
  • C
SQL Injection

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to SQL Injection in QuerySet.annotate(), aggregate(), and extra() methods, in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods.

How to fix SQL Injection?

Upgrade Django to version 2.2.28, 3.2.13, 4.0.4 or higher.

[,2.2.28) [3.0,3.2.13) [4.0,4.0.4)
  • M
Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the {% debug %} template tag. The tag doesn't properly encode the current context, outputting unescaped context variables.

How to fix Cross-site Scripting (XSS)?

Upgrade django to version 2.2.27, 3.2.12, 4.0.2 or higher.

[,2.2.27) [3.0,3.2.12) [4.0,4.0.2)
  • H
Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) via an infinite loop during file parsing that occurs when certain inputs are passed to multipart forms.

How to fix Denial of Service (DoS)?

Upgrade django to version 2.2.27, 3.2.12, 4.0.2 or higher.

[,2.2.27) [3.0,3.2.12) [4.0,4.0.2)
  • L
Directory Traversal

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Directory Traversal via Storage.save().

Note: this is exploitable only if crafted file names are being directly passed to the save function..

How to fix Directory Traversal?

Upgrade Django to version 2.2.26, 3.2.11, 4.0.1 or higher.

[,2.2.26) [3.0,3.2.11) [4.0,4.0.1)
  • L
Information Exposure

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Information Exposure via the dictsort template filter, when leveraging the Django Template Language's variable resolution logic by supplying a maliciously crafted key.

Note: all untrusted user input should be validated before use.

How to fix Information Exposure?

Upgrade Django to version 2.2.26, 3.2.11, 4.0.1 or higher.

[,2.2.26) [3.0,3.2.11) [4.0,4.0.1)
  • M
Denial of Service (DoS)

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Denial of Service (DoS) via UserAttributeSimilarityValidator, when evaluating submitted passwords that are extremely large relatively to the comparison values. This issue is mitigated in newer versions by ignoring long values in UserAttributeSimilarityValidator.

Note: it is exploitable under the assumption that access to user registration is unrestricted.

How to fix Denial of Service (DoS)?

Upgrade Django to version 2.2.26, 3.2.11, 4.0.1 or higher.

[,2.2.26) [3.0,3.2.11) [4.0,4.0.1)
  • M
Access Restriction Bypass

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Access Restriction Bypass. HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

How to fix Access Restriction Bypass?

Upgrade Django to version 2.2.25, 3.1.14, 3.2.10 or higher.

[,2.2.25) [3.0,3.1.14) [3.2,3.2.10)
  • H
Directory Traversal

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Directory Traversal via admindocs TemplateDetailView.

How to fix Directory Traversal?

Upgrade Django to version 3.2.4, 3.1.12, 2.2.24 or higher.

[3.2,3.2.4) [3.1,3.1.12) [,2.2.24)
  • M
Improper Input Validation

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Improper Input Validation. URLValidator, validate_ipv4_address(), and validate_ipv46_address() did not prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. It only affects Python < 3.9.5.

How to fix Improper Input Validation?

Upgrade Django to version 2.2.24, 3.1.12, 3.2.4 or higher.

[2.2,2.2.24) [3.1,3.1.12) [3.2,3.2.4)
  • H
HTTP Header Injection

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to HTTP Header Injection. In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines and tabs from URLs. Unfortunately it created an issue in the URLValidator. URLValidator uses urllib.urlsplit() and urllib.urlunsplit() for creating a URL variant with Punycode which no longer contains newlines and tabs in Python 3.9.5+. As a consequence, the regular expression matched the URL (without unsafe characters) and the source value (with unsafe characters) was considered valid.

This issue was introduced by the bpo-43882 fix.

How to fix HTTP Header Injection?

Upgrade Django to version 3.2.2, 3.1.10, 2.2.22 or higher.

[3.2,3.2.2) [3.0,3.1.10) [,2.2.22)
  • L
Directory Traversal

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Directory Traversal. MultiPartParser, UploadedFile, and FieldFile allow directory-traversal via uploaded files with suitably crafted file names.

How to fix Directory Traversal?

Upgrade Django to version 2.2.21, 3.1.9, 3.2.1 or higher.

[,2.2.21) [3.0,3.1.9) [3.2,3.2.1)
  • L
Directory Traversal

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Directory Traversal. MultiPartParser allowed directory-traversal via uploaded files with suitably crafted file names.

How to fix Directory Traversal?

Upgrade Django to version 2.2.20, 3.0.14, 3.1.8 or higher.

[2.2,2.2.20) [3.0,3.0.14) [3.1,3.1.8)
  • M
Web Cache Poisoning

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Web Cache Poisoning. Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes. A further security fix has been issued recently such that parse_qsl() no longer allows using ; as a query parameter separator by default.

How to fix Web Cache Poisoning?

Upgrade Django to version 2.2.19, 3.0.13, 3.1.7 or higher.

[2.2,2.2.19) [3.0,3.0.13) [3.1,3.1.7)
  • L
Directory Traversal

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Directory Traversal via the django.utils.archive.extract() function, which is used by startapp --template and startproject --template. This can happen via an archive with absolute paths or relative paths with dot segments.

How to fix Directory Traversal?

Upgrade Django to version 2.2.18, 3.0.12, 3.1.6 or higher.

[1.4,2.2.18) [3.0a1,3.0.12) [3.1a1,3.1.6)
  • H
Insecure Permissions

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Insecure Permissions. The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.

How to fix Insecure Permissions?

Upgrade Django to version 2.2.16, 3.0.10, 3.1.1 or higher.

[2.2,2.2.16) [3.0,3.0.10) [3.1,3.1.1)
  • H
Insecure Permissions

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Insecure Permissions. On Python 3.7 and above, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.

How to fix Insecure Permissions?

Upgrade Django to version 2.2.16, 3.0.10, 3.1.1 or higher.

[2.2,2.2.16) [3.0,3.0.10) [3.1,3.1.1)
  • M
Information Exposure

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Information Exposure. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.

How to fix Information Exposure?

Upgrade Django to version 3.0.7, 2.2.13 or higher.

[3.0,3.0.7) [2.2,2.2.13)
  • M
Cross-site Scripting (XSS)

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Query parameters for the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector.

How to fix Cross-site Scripting (XSS)?

Upgrade Django to version 3.0.7, 2.2.13 or higher.

[3.0.0,3.0.7) [2.2.0,2.2.13)
  • H
SQL Injection

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to SQL Injection via "tolerance" parameter in GIS functions and aggregates on Oracle.

How to fix SQL Injection?

Upgrade Django to version 3.0.4, 2.2.11, 1.11.29 or higher.

[3.0,3.0.4) [2.2,2.2.11) [,1.11.29)
  • H
SQL Injection

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to SQL Injection. If untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter) by passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it is possible to break escaping and inject malicious SQL.

How to fix SQL Injection?

Upgrade Django to version 3.0.3, 2.2.10, 1.11.28 or higher.

[3.0,3.0.3) [2.2,2.2.10) [1.11,1.11.28)
  • M
Account Hijacking

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Account Hijacking. By submitting a suitably crafted email address making use of Unicode characters, that compared equal to an existing user email when lower-cased for comparison, an attacker could be sent a password reset token for the matched account.

How to fix Account Hijacking?

Upgrade Django to version 3.0.1, 2.2.9, 1.11.27 or higher.

[3.0.0,3.0.1) [2.2.0,2.2.9) [1.11.0,1.11.27)
  • M
Privilege Escalation

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Privilege Escalation. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked.

How to fix Privilege Escalation?

Upgrade Django to version 2.1.15, 2.2.8 or higher.

[2.1,2.1.15) [2.2,2.2.8)
  • M
SQL Injection

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to SQL Injection. Key and index lookups for django.contrib.postgres.fields.JSONField and key lookups for django.contrib.postgres.fields.HStoreField were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.filter().

How to fix SQL Injection?

Upgrade Django to version 1.11.23, 2.1.11, 2.2.4 or higher.

[1.11,1.11.23) [2.1,2.1.11) [2.2,2.2.4)
  • M
Denial of Service (DoS)

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Denial of Service (DoS). Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.

How to fix Denial of Service (DoS)?

Upgrade Django to version 1.11.23, 2.1.11, 2.2.4 or higher.

[1.11,1.11.23) [2.1,2.1.11) [2.2,2.2.4)
  • M
Denial of Service (DoS)

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Denial of Service (DoS). If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

How to fix Denial of Service (DoS)?

Upgrade Django to version 1.11.23, 2.1.11, 2.2.4 or higher.

[1.11,1.11.23) [2.1,2.1.11) [2.2,2.2.4)
  • M
Denial of Service (DoS)

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Denial of Service (DoS). If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.

How to fix Denial of Service (DoS)?

Upgrade Django to version 1.11.23, 2.1.11, 2.2.4 or higher.

[1.11,1.11.23) [2.1,2.1.11) [2.2,2.2.4)
  • H
Man-in-the-Middle (MitM)

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. As such, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP. This entails incorrect results for is_secure(), and build_absolute_uri(), and that HTTP requests would not be redirected to HTTPS in accordance with SECURE_SSL_REDIRECT.

How to fix Man-in-the-Middle (MitM)?

Upgrade Django to version 1.11.22, 2.1.10, 2.2.3 or higher.

[1.11.0,1.11.22) [2.1.0,2.1.10) [2.2.0,2.2.3)
  • L
Cross-site Scripting (XSS)

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

How to fix Cross-site Scripting (XSS)?

Upgrade Django to version 1.11.21, 2.1.9, 2.2.2 or higher.

[1.11.0,1.11.21) [2.1.0,2.1.9) [2.2.0,2.2.2)