django@4.2.12 vulnerabilities

Affected versions of this package are vulnerable to Denial of Service (DoS) due to not accounting for very large inputs involving intermediate ;s, in the django.utils.html.urlize() and django.utils.html.urlizetrunc() template filter functions.

Upgrade django to version 4.2.16, 5.0.9, 5.1.1 or higher.

Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions due to unhandled email sending failures in the django.contrib.auth.forms.PasswordResetForm class. This allows attackers to enumerate user email addresses by brute forcing password reset requests and observing the outcomes.

Upgrade django to version 4.2.16, 5.0.9, 5.1.1 or higher.

Affected versions of this package are vulnerable to SQL Injection via the QuerySet.values() and values_list() methods on models with a JSONField. An attacker can exploit this vulnerability through column aliases by using a maliciously crafted JSON object object key as a passed *arg.

Upgrade django to version 4.2.15, 5.0.8 or higher.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption via the floatformat() template filter, when given a string representation of a number in scientific notation with a large exponent.

Upgrade django to version 4.2.15, 5.0.8 or higher.

Affected versions of this package are vulnerable to Denial of Service (DoS) via certain inputs with a very large number of Unicode characters in the urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget.

Upgrade django to version 4.2.15, 5.0.8 or higher.

Affected versions of this package are vulnerable to Denial of Service (DoS) via very large inputs with a specific sequence of characters in the urlize() and urlizetrunc() template filters.

Upgrade django to version 4.2.15, 5.0.8 or higher.

Affected versions of this package are vulnerable to Timing Attack via the django.contrib.auth.backends.ModelBackend.authenticate() method. This allows remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords.

Upgrade django to version 4.2.14, 5.0.7 or higher.

Affected versions of this package are vulnerable to Directory Traversal via the derived classes of the django.core.files.storage.Storage base class which override generate_filename() without replicating the file path validations existing in the parent class. This allows potential access to out of scope data via certain inputs when calling save() method.

Note: Built-in Storage sub-classes were not affected by this vulnerability.

Upgrade django to version 4.2.14, 5.0.7 or higher.

Affected versions of this package are vulnerable to Denial of Service (DoS) in django.utils.translation.get_supported_language_variant() function due to improper user input validation. An attacker can exploit this vulnerability by using very long strings containing specific characters. Exploiting this vulnerability could lead to a system crash.

Upgrade django to version 4.2.14, 5.0.7 or higher.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the in django.utils.html.urlize() and django.utils.html.urlizetrunc() functions. If certain inputs with a very large number of brackets are provided, this could lead to a system crash.

Upgrade django to version 4.2.14, 5.0.7 or higher.